The SRP protocolPart 3 is going to be a little more technical and we’ll provide you with the some of the important details to understand, but if your intrigued, curious and willing, take a look at the original Whitepaper -
http://srp.stanford.edu/ndss.html.
The SRP protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and offers significantly improved performance over comparably strong extended methods that resist stolen-verifier attacks such as Augmented EKE or B-SPEKE.What follows is a complete description of the entire SRP authentication process from beginning to end, starting with the password setup steps.
Here’s a mathematical notation for SRP, in order to reference if you’re serious about reading further:
The values n and g are well-known values, agreed to beforehand.
*Moving forward use the notation above when symbols / alphabetic characters are being referenced.
To establish a password P with Steve, Carol picks a random salt s, and computes
x = H(s, P)
v = g^x
Steve stores v and s as Carol's password verifier and salt. Remember that the computation of v is implicitly reduced modulo n. x is discarded because it is equivalent to the plaintext password P.
The AKE protocol also allows Steve to have a password z with a corresponding public key held by Carol; in SRP, we set z = 0 so that it drops out of the equations. Since this private key is 0, the corresponding public key is 1. Consequently, instead of safeguarding its own password z, Steve needs only to keep Carol's verifier v secret to assure mutual authentication. This frees Carol from having to remember Steve's public key and simplifies the protocol.
To authenticate, Carol and Steve engage in the protocol described in
Table 4. A description of each step follows:
1. Carol sends Steve her username, (e.g. carol).
2. Steve looks up Carol's password entry and fetches her password verifier v and her salt s. He sends s to Carol. Carol computes her long-term private key x using s and her real password P.
3. Carol generates a random number a, 1 < a < n, computes her ephemeral public key A = g^a, and sends it to Steve.
4. Steve generates his own random number b, 1 < b < n, computes his ephemeral public key B = v + g^b, and sends it back to Carol, along with the randomly generated parameter u.
5. Carol and Steve compute the common exponential value S = g^(ab + bux) using the values available to each of them. If Carol's password P entered in Step 2 matches the one she originally used to generate v, then both values of S will match.
6. Both sides hash the exponential S into a cryptographically strong session key.
7. Carol sends Steve M[1] as evidence that she has the correct session key. Steve computes M[1] himself and verifies that it matches what Carol sent him.
8. Steve sends Carol M[2] as evidence that he also has the correct session key. Carol also verifies M[2] herself, accepting only if it matches Steve's value.
We’ve mentioned that the SRP protocol includes zero-proof of Knowledge (Elliptic Curve), how so?
Fortunately, the mathematical structure of the SRP protocol is sufficiently similar to the Diffie-Hellman (DH) protocol.
Attack vectors:
Resistance to the Denning-Sacco attack
Resistance to active attacks
Resistant to Subgroup confinement attack
The Case for optimising SRP (we need to optimise the performance in order to achieve one of our USP - speed of transactions).
If you recall Table 4 above, it described a total of 3 round trips between client and server. We are able to reduce the number of trips of a total of 2 OR 1 and a half which would only authenticate the client to the server.
Conclusion 1. An attacker with neither the user's password nor the host's password file cannot mount a dictionary attack on the password. Mutual authentication is achieved in this scenario.
2. An attacker who captures the host's password file cannot directly compromise user-to-host authentication and gain access to the host without an expensive dictionary search.
3. An attacker who compromises the host does not obtain the the password from a legitimate authentication attempt.
4. An attacker who captures the session key cannot use it to mount a dictionary attack on the password.
5. An attacker who captures the user's password cannot use it to compromise the session keys of past sessions.
It is believed that this set of properties is at or near the theoretical limit of security that can be offered by a purely password-based protocol. SRP, which bases its security on the difficulty of solving the Diffie-Hellman problem in the multiplicative field modulo a large safe prime, meets these requirements and does so using only one exponential key exchange round, making it useful for applications in which good performance is an issue. It solves some outstanding issues with protocols like EKE and SPEKE without sacrificing either performance or security. SRP's security, simplicity, and speed make it ideal for a wide range of real-world applications in which secure password authentication is required.
Original Whitepaper -
http://srp.stanford.edu/ndss.html