关于SRP协议: http://en.wikipedia.org/wiki/Secure_remote_password_protocol
我可以看到,会话密钥(K)的产生是绝对安全的,但在最后一步的用户发送的K(M)的证明。如果网络是不安全的,在midlle攻击者捕获男,他就能够进行身份验证,而不必K.吧?
I can see that the generation of the session key (K) is perfectly safe, but in the last step the user sends proof of K (M). If the network is insecure and the attacker in the midlle captures M, he would be able to authenticate without having K. right?
众所周知值(预先建立):
n A large prime number. All computations are performed modulo n.
g A primitive root modulo n (often called a generator).
的用户密码被确定为:
x = H(s, P)
v = g^x
H() One-way hash function
s A random string used as the user's salt
P The user's password
x A private key derived from the password and salt
v The host's password verifier
认证:
+---+------------------------+--------------+----------------------+
| | Alice | Public Wire | Bob |
+---+------------------------+--------------+----------------------+
| 1 | | C --> | (lookup s, v) |
| 2 | x = H(s, P) | <-- s | |
| 3 | A = g^a | A --> | |
| 4 | | <-- B, u | B = v + g^b |
| 5 | S = (B - g^x)^(a + ux) | | S = (A · v^u)^b |
| 6 | K = H(S) | | K = H(S) |
| 7 | M[1] = H(A, B, K) | M[1] --> | (verify M[1]) |
| 8 | (verify M[2]) | <-- M[2] | M[2] = H(A, M[1], K) |
+---+------------------------+--------------+----------------------+
u Random scrambling parameter, publicly revealed
a,b Ephemeral private keys, generated randomly and not publicly revealed
A,B Corresponding public keys
m,n The two quantities (strings) m and n concatenated
S Calculated exponential value
K Session key
正如你所看到的,双方计算K(=会话密钥)分开,根据提供给他们每个人的价值观。 如果Alice的口令P在步骤2中输入一个她原本是用来产生v匹配,则S的两个值都将匹配。
As you can see, both parties calculate K (=the session key) separately, based upon the values available to each of them. If Alice's password P entered in Step 2 matches the one she originally used to generate v, then both values of S will match.
实际的会话密钥K但是从来没有送过线,只有证明双方已成功地计算出了相同的会话密钥。因此,一个人在这中间可能会重新发送的证明,但由于他没有实际的会话密钥,他将无法与拦截的数据做任何事情。
The actual session key K is however never send over the wire, only the proof that both parties have successfully calculated the same session key. So a man-in-the middle could resend the proof, but since he does not have the actual session key, he would not be able to do anything with the intercepted data.