In SRP-6 $B$ is calculated as $B=kv+ g^b, k=3$. What is the purpose of $k$, and why was it fixed as $3$?
(In SRP-6a, this value $3$ is replaced by $k = H(N,g)$, but this question is about SRP-6.)
Asked
Active
Viewed 746 times
1 Answers
3
The purpose is to prevent a two-for-one guessing attack, where an active adversary, impersonating the server, can test two password guesses per attempt. The attack and why the multiplier prevents it is described in Section 2 of the SRP-6 paper (ps). (According to MacKenzie, it was discovered by Bleichenbacher.)
In brief, the attack goes like this:
- Instead of $B = v + g^b = g^x + g^b$ with a random $b$, the attacker calculates $B = g^{x_1} + g^{x_2}$ with two password guesses.
- The client uses the value $B - g^x$, meaning if $x=x_1$ they get $g^{x_2}$ and if $x=x_2$ they get $g^{x_1}$.
- The attacker calculates two session keys, based on $x=x_1, b=x_2$ and $x=x_2, b=x_1$. If either of these matches with the $M_1$ sent by the client, they have found the password.
If the attacker does not know the discrete logarithm of $k$, i.e. the number $l$ for which $g^l = k$, they cannot try two guesses at once with the version 6 protocol where $v$ is multiplied by $k$.
The paper shows why $k=3$ is a safe choice for generic $g$ and $N$.
(The hashed $k$ fixes it for maliciously chosen $g$ and $N$ as well.)
