In SRP-6 $B$ is calculated as $B=kv+ g^b, k=3$. What is the purpose of $k$, and why was it fixed as $3$?
(In SRP-6a, this value $3$ is replaced by $k = H(N,g)$, but this question is about SRP-6.)
Asked
Active
Viewed 716 times
4
-
2related: Why does SRP-6a use k = H(N, g) instead of the k = 3 in SRP-6? – CodesInChaos Feb 12 '13 at 09:48
-
Are you talking about SRP-6 or SRP-6a? It seems like 6a doesn't use k=3 like you claim. – CodesInChaos Feb 12 '13 at 09:59
-
Sorry my mistake SRP6 using k = 3, in SRP6a using k – user236501 Feb 12 '13 at 11:02
-
1I edited the question to be more clear – please check that it still fits to your actual question. For SRP 6a, please refer to the question linked by ChodesInChaos. – Paŭlo Ebermann Feb 12 '13 at 20:03
-
Yes, I did went through the post already, but still don't quite get the answer. – user236501 Feb 13 '13 at 04:47
1 Answers
3
The purpose is to prevent a two-for-one guessing attack, where an active adversary, impersonating the server, can test two password guesses per attempt. The attack and why the multiplier prevents it is described in Section 2 of the SRP-6 paper (ps). (According to MacKenzie, it was discovered by Bleichenbacher.)
In brief, the attack goes like this:
- Instead of $B = v + g^b = g^x + g^b$ with a random $b$, the attacker calculates $B = g^{x_1} + g^{x_2}$ with two password guesses.
- The client uses the value $B - g^x$, meaning if $x=x_1$ they get $g^{x_2}$ and if $x=x_2$ they get $g^{x_1}$.
- The attacker calculates two session keys, based on $x=x_1, b=x_2$ and $x=x_2, b=x_1$. If either of these matches with the $M_1$ sent by the client, they have found the password.
If the attacker does not know the discrete logarithm of $k$, i.e. the number $l$ for which $g^l = k$, they cannot try two guesses at once with the version 6 protocol where $v$ is multiplied by $k$.
The paper shows why $k=3$ is a safe choice for generic $g$ and $N$.
(The hashed $k$ fixes it for maliciously chosen $g$ and $N$ as well.)
-
I notice that there necessarily still exists a fast classical attack for any given $g$ and $N\hspace{-0.02 in}$. $:$ It seems to me that using
k = 3 + H(N,g,A)would make it plausible that there is no fast classical attack. $:$ Is there a better reason than "it takes slightly more computation" for not doing that? $;;;;$ – Aug 19 '14 at 20:46 -
@RickyDemer, isn't that just equivalent to switching to another $H$? I don't think it can help. – otus Aug 20 '14 at 05:32
-
That's certainly not obviously equivalent, since it makes $k$ depend on the client's message. $\hspace{.91 in}$ – Aug 20 '14 at 05:41
-
1@RickyDemer, oh I missed that you added the $A$. I don't think the $3$ in your formula matters, but how is adding $A$ better than what SRP-6a does? – otus Aug 20 '14 at 05:46
-
It makes the resulting protocol be such that, as far as I can see, there does not necessarily exist a fast classical two-for-one guessing attack on a large $N$ that can handle arbitrary pairs of candidate passwords. $;$ – Aug 20 '14 at 06:03
-
1Whereas for SRP-6a one exists, but cannot be found quickly? I guess that would be an advantage, but not necessarily worth the cost of an extra hash on each run and serializing the protocol ($B$ cannot be calculated in advance). – otus Aug 20 '14 at 06:36