[Security] TLS-SRP Questions

Dirk Meyer dmeyer at tzi.de
Thu Aug 21 05:52:14 CDT 2008


I have two questions if I understand RFC 5054 correctly. In our
scenario we have two clients with unverified certificates and a shared
secret we use as password. One acts as TLS client, the other as TLS
server. Now I want to be sure that not only the TLS server can verify
the client knows the password but also the other way around. Looking
at the RFC I see that the premaster secret is calculated by both
parties using x with x = SHA1(s | SHA1(I | ":" | P)) and P is the
password. The server uses this indirectly by using v and v = g^x % N

So am I understanding this correct that BOTH will notice it when the
other does not know the password?

Second question is about the certificates. For the RFC:

| Client Hello (I)        -------->
|                                             Server Hello
|                                             Certificate*
|                                      Server Key Exchange
|                         <--------      Server Hello Done
| Client Key Exchange (A) -------->
| [Change cipher spec]
| Finished                -------->
|                                     [Change cipher spec]
|                         <--------               Finished

So the server MAY send its certificate but the client will never do
that. A simple rehandshake without exchanging at least the
fingerprints over the secure connection will not work.


PCMCIA - People Can't Memorise Computer Industry Acronyms

More information about the Security mailing list