srp icon indicating copy to clipboard operation
srp copied to clipboard
verified publisher icon 1Password

Client should show proof first

Open helgardmeyer opened this issue 5 years ago • 3 comments

According to the SRP design specification, you reference the client should show it's proof first. However in the ClientProof() you check if the server is proved first?

if !s.isServer && !s.isServerProved {
    return nil, fmt.Errorf("don't construct client proof until server is proved")
}

helgardmeyer avatar May 23 '20 21:05 helgardmeyer

Ah. I assume you are referring to

Now the two parties have a shared, strong session key K. To complete authentication, they need to prove to each other that their keys match. One possible way:

User -> Host: M = H(H(N) xor H(g), H(I), s, A, B, K) Host -> User: H(A, M, K)

I probably read that backwards. I do not believe that this matters at this point in the authentication process, but unless I am certain that order doesn't matter here, we should have this code follow that "spec".

jpgoldberg avatar May 25 '20 21:05 jpgoldberg

Yes and the comment at the top of the file also mentions client proof first

Client -> Server: M = H(H(N) xor H(g), H(I), s, A, B, Key) Server >- Client: H(A, M, K)

The client must show its proof first

I believe in most cases server proof is not required or at least for my use case, I am only interested in the client proof so this adds an additional round trip to the authentication process.

helgardmeyer avatar May 26 '20 15:05 helgardmeyer

This should be fixed, but I want to be careful about breaking changes.

jpgoldberg avatar Apr 30 '22 19:04 jpgoldberg