7

I have been wracking my brain trying to develop a functioning implementation of SRP-6a in Python to use with a 3rd-party API that claims to use SRP-6a with $N=$ 2048-bit prime and generator of $2$. Unfortunately it has proven quite difficult to find two implementations that "match" to themselves.

For example, Stanford’s “SRP Protocol Design” page indicates that $K=H(S)$ (and I'm assuming that $H$ is SHA1 even though some implementations are using SHA256), but RFC2945 (original RFC for SRP) indicates $K$ is an Interleave-SHA1. So which is it?

Second, the proof that the user generates ($M$) is stated, "one possible way" is $M=H(H(N) \oplus H(g), H(I), s, A, B, K)$ whereas some implementations have $M=H(A,B,S)$? Which is it?

Finally, if I look at the original RFC2945 I see pretty much what is written in SRP Protocol Design, with the exception that $k=H(N,g)$ in 6a and for example in the design URL $B=(kv + g^b) % N$ (I guess, its never clear where to apply modulo $N$ if its just left out and written as "All arithmetic is done modulo N) where as in RFC2945 B is simply $(v+g^b) % N$.

Finally, are there test vectors other than $N$=1024-bit, $g=2$ , I can recreate the vector that exists even though nothing every shows the expected calculation for $K$ or $M$.

Apologies for first post to this site as sounding needy, but I've been trying to wrap my mind around this and work with a blackbox application that I simply fail the proof every time even after checking and doublechecking my code. :-(

Trina
  • 694
  • 7
  • 21
Joe
  • 225
  • 1
  • 5

1 Answers1

2

SRP protocol is quite abstract so to provide matching implementation for version 6a you need to know following:

  • N, g - group parameters
  • H - hash function, there can be different hash functions used for different values
  • how is private key x calculated
  • how is shared session key K calculated
  • how are evidence messages (M1, M2) calculated

In addition you need to know what is internal representation of numbers (byte order, padding) and what is the format of messages being exchanged between client and server.

Without that knowledge all you can do is reverse enginner (even without disassembling binary ie. you could deduce what might be hash function based on size of M1) or try your luck with different configurations. For example (based on RFC 5054 and SRP-6a summary):

  • byte order: big endian
  • encoding: UTF-8 (for username and password)
  • N = 2048 bit prime from appendix A
  • g = 2
  • H = SHA1
  • x = H(s | H(I | ':' | P))
  • k = H(N | PAD(g))
  • u = H(PAD(N) | PAD(B))
  • K = H(S)
  • M1 = H(H(N) xor H(g), H(I), s, A, B, K)
  • M2 = H(A, M1, K)

As for the test vectors I haven't found others then those at RFC 5054 and on Stanford SRP demo page.

Community
  • 1
nefarel
  • 183
  • 7