The “secure remote password protocol” is a modern cryptographic protocol for password authenticated key exchange (PAKE). It provides some desireable properties, like a passive eavesdropper being unable to brute-force the password. It is usually used to derive shared session keys from passwords and authenticate users with passwords.
Questions tagged [srp]
53 questions
4
votes
2 answers
Can the premaster secret generated by SRP be used as a secure private key?
It seems like the pre-master secret generated during the SRP protocol would make a good source to generate a shared private key using a secure hash to compress it down into a 128/256 symmetric key. The random values that get hashed into it seem to…
Grant BlahaErath
- 355
- 1
- 9
4
votes
2 answers
Use of less than secure random numbers for 'a' during an SRP proof of password
With Secure Remote Password protocol SRP6a random numbers are used for s, a and b. Where s is the salt registered with the user, a and b are random one time ephemeral keys of the user and host respectively. What would be the risk of letting some…
simbo1905
- 645
- 5
- 14
3
votes
2 answers
Is this exponentation or bitwise XOR
I'm reading about SRP from this page and came accross the line that says a party computes
v = g^x
I am unfamiliar with reading cryptography texts. Does this mean gx, or g ⊕ x?
Jecko
3
votes
1 answer
SRP man-in-the-middle
This site suggests that Secure Remote Password protocol is secure when "Attackers can intercept, modify, and forge arbitrary messages between client and server."
However, from a quick reading of the Wikipedia page on SRP [1], it seems that an…
Him
- 165
- 6
1
vote
1 answer
Can N, q be shared for multiple users when using SRP-6A
Is it considered bad practice to use the same N and q parameters for all users in an SRP-6A based authentication system?
I know that q MUST be a Sophie Germain prime and N a safe prime, but can they be generated ahead of time and be somewhat fixed /…
cryptonerd
- 13
- 2
-1
votes
1 answer
Are the protocols DH-EKE, B-SPEKE, A-EKE, and SRP are considered challenge-response authenticaion mechanisms?
I got confused which one is considered challenge-response mechanism which one is not.
Tareq
- 1
- 1