SRP6 calculating M1, M2 incorrectly #506
Comments
|
Our implementation is for RFC 5054. |
|
Yes, but RFC 5054 it does not specify the algorithm for calculating M1 and M2, or at least I haven't found it there. It delegates M1/M2 to RFC 2945 and it just states that failing to decrypt the finished message performs the same function as M1/M2 in RFC 2945. If I understand it correctly, M1/M2 are not even being used in RFC 5054, but BouncyCastle has the methods for calculating them. And I haven't found anything related to the calculation of M1/M2 using the algorithm currently implemented by BouncyCastle: M1 = H(A | B | S) May I ask where does it come from, if not from RFC 5054/RFC 2945? |
|
@jimm98y I was able to hunt this down a little more. It looks like in 1999ish (according to here -- though other commentary points to a later date, perhaps 2002+), Thomas Wu proposed the SRP protocol with computation discussed here. Before (or perhaps after) standardization though (by the same author), it was changed to the version currently present in RFC 2945 (linked above), also sometimes called SRP-3 (perhaps?). Wikipedia gives this clue about the introduction of our algorithm:
(with algorithm matching what is in Bouncy Castle, without citations). The JavaDocs of a third-party package give us a clue as to citation for the reduced form:
Indeed, reading RFC 5054 linked by Peter above says:
Though, notably SRP-6 cites what is, presumably, the same paper mentioned by the JavaDocs and the Stanford link above. And, note my bolding: SRP-RFC links to RFC 2945. I believe Peter is thus correct and RFC 5054 is poorly cited/written: it is not RFC 2945 compatible and should be as implemented here in BC. This also matches with the file naming (SRP6). (However, I do agree, RFC 5054 is very unclear about these differences and lacks the information it states it should have.) Thus, you would be correct (as per your PR) in proposing alternative interfaces while retaining compatibility for existing users. However, it (incorrectly) looks like there might be a third variant: as discussed in this rust crate: https://docs.rs/srp/latest/srp/ -- though no source for this variant is mentioned on the README... As far as I can tell, this variant isn't used in the code base: https://github.com/RustCrypto/PAKEs/blob/master/srp/src/server.rs#L149-L155 does not seem to include |
As far as I can tell from the code, what is defined as: > key = compute_premaster_secret(...) does not include the given hash invocation step. While RFC 5054 is unclearly worded (see comment below), SRP-6 is clear that M1 should not include K = H(S) and thus this description of the protocol is incorrect. As far as I can tell, nobody else uses this computation of M1 (with K = H(S) as a parameter) and thus it should be dropped from the tabular and comment descriptions. See also: bcgit/bc-csharp#506 (comment) Signed-off-by: Alexander Scheel <alexander.scheel@keyfactor.com>
|
Wow, nice work! Thank you very much for this research, it's really interesting to see how many variants of SRP are out there. Digging a little bit more into HAP-nodejs revealed they also had to modify an existing implementation to make it HAP (RFC 2945) compatible: zarmack/fast-srp@24a32ff |
I was trying to use BouncyCastle SRP6 on the server side for HomeKit and I found out that I can only generate B and S, but then M1 and M2 are calculated in BouncyCastle like:
M1 = H(A | B | S)
M2 = H(A | M1 | S)
K = H(S)
While they should be calculated as follows according to RFC2945:
K = H(S)
M1 = H(H(N) XOR H(g) | H(I) | s | A | B | K)
M2 = H(A | M1 | K)
In C#, I ended up using the following code:
This issue is not just related to C#, I can see the same code in Java as well. The current BouncyCastle implementation is working only when BouncyCastle is being used on both sides - client and the server.
The text was updated successfully, but these errors were encountered: