[Security] TLS-SRP Questions

Eric Rescorla ekr at rtfm.com
Thu Aug 21 09:12:54 CDT 2008


On Thu, Aug 21, 2008 at 3:52 AM, Dirk Meyer <dmeyer at tzi.de> wrote:
> Hi,
>
> I have two questions if I understand RFC 5054 correctly. In our
> scenario we have two clients with unverified certificates and a shared
> secret we use as password. One acts as TLS client, the other as TLS
> server. Now I want to be sure that not only the TLS server can verify
> the client knows the password but also the other way around. Looking
> at the RFC I see that the premaster secret is calculated by both
> parties using x with x = SHA1(s | SHA1(I | ":" | P)) and P is the
> password. The server uses this indirectly by using v and v = g^x % N
>
> So am I understanding this correct that BOTH will notice it when the
> other does not know the password?

Yes.

Technically the server doesn't know the password but rather a "verifier"
that's derived from the password. This protects the client to some extent
if he uses the same password with multiple servers.

-Ekr


More information about the Security mailing list