1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
/* $Id: crypt_prot.x,v 1.7 2006/02/25 02:02:39 mfreed Exp $ */
/*
* This file was written by David Mazieres. Its contents is
* uncopyrighted and in the public domain. Of course, standards of
* academic honesty nonetheless prevent anyone in research from
* falsely claiming credit for this work.
*/
%#include "bigint.h"
/*
* These structures define the raw byte formats of messages exchanged
* by the SRP protocol, as published in:
*
* T. Wu, The Secure Remote Password Protocol, in Proceedings of the
* 1998 Internet Society Network and Distributed System Security
* Symposium, San Diego, CA, Mar 1998, pp. 97-111.
*
* sessid is a session identifier known by the user and server to be fresh
*
* N is a prime number such that (N-1)/2 is also prime
* g is a generator of Z_N^*
*
* x is a function of the user's password and salt
* v is g^x mod N
*
* a is a random element of Z_N^* selected by the user (client)
* A = g^a mod N
*
* b and u are random elements of Z_N^* picked by the server
* B = v + g^b mod N (in version 3 of the protocol)
* B = 3v + g^b mod N (in version 6 of the protocol)
*
* S = g^{ab} * g^{xub}
* M = SHA-1 (sessid, N, g, user, salt, A, B, S)
* H = SHA-1 (sessid, A, M, S)
*
* The protocol proceeds as follows:
*
* User -> Server: username
* Server -> User: salt, N, g
* User -> Server: A
* Server -> User: B, u
* User -> Server: M
* Server -> User: H
*
* After this, S can be used to generate secret session keys for use
* between the user and server.
*/
/*
* By default, the SRP code now uses an updated scheme designed to
* prevent two-for-one password guessing by an active attacker
* impersonating the server, as described in:
*
* T. Wu, SRP-6: Improvements and Refinements to the Secure Remote
* Password Protocol, Submission to the IEEE P1363 Working Group,
* Oct 2002.
*
* The protocol is the same as the one above (called "SRP-3"), but a
* constant k=3 is used to remove the symmetry in the calculation of B
* by the server and of S by the client:
*
* (server) B = kv + g^b mod N
*
* (client) S = (B - kv)^(a + ux)
*
* The resulting value of S (as a function of all the other
* parameters) is the same as before, and there is no change in the
* sequence of messages exchanged.
*/
typedef opaque _srp_hash[20];
/* server to client */
struct srp_msg1 {
string salt<>;
bigint N;
bigint g;
};
/* client to server */
struct srp_msg2 {
bigint A;
};
/* server to client */
struct srp_msg3 {
bigint B;
bigint u;
};
/* hashed, then client to server */
struct srp_msg4_src {
_srp_hash sessid;
bigint N;
bigint g;
string user<>;
string salt<>;
bigint A;
bigint B;
bigint S;
};
/* hashed, then server to client */
struct srp_msg5_src {
_srp_hash sessid;
bigint A;
_srp_hash M;
bigint S;
};
#if 0
/* Info stored by server */
struct srp_info {
bigint n;
bigint g;
string salt<>;
bigint v;
};
#endif
enum crypt_keytype {
CRYPT_NOKEY = 0,
CRYPT_RABIN = 1,
CRYPT_2SCHNORR = 2, /* proactive 2-Schnorr -- private */
CRYPT_SCHNORR = 3, /* either *Schnorr -- public */
CRYPT_1SCHNORR = 4, /* standard 1-Schnorr -- private */
CRYPT_ESIGN = 5,
CRYPT_PAILLIER = 6,
CRYPT_ELGAMAL = 7
};
struct elgamal_ctext {
bigint r;
bigint m;
};
union crypt_ctext switch (crypt_keytype type) {
case CRYPT_RABIN:
bigint rabin;
case CRYPT_PAILLIER:
bigint paillier;
case CRYPT_ELGAMAL:
elgamal_ctext elgamal;
default:
void;
};
|
