The Simplified Description of the SRP protocol

 

Note: All arithmetic is modulus n

Public values: n, g

 

Setup

 

A: x := hash(s, P)

A -> S: x

S: v := g^X

 

Protocol

 

C -> S: C, f(a)

S: <-(C, A)

S -> C: s, Ru, h(v, b)

C:<-(s, Ru, B)

C: K = hash(j(B, x, a, u))

S: K = hash(k(A, v, u, b))

C -> S: hash(A, B, Kc)

S: <-(M1)

S -> C: hash(A, M1, Ks)

 

Functions

 

f(a, g) = g^a

h(v, b, g) = v + g^b

j(B, x, a, u) = (B – g^x)^{a + ux}

k(A, v, u, b) = (Av^u)^b

 

Variables

 

n = large prime

g = primitive root modulo n

s =  salt

P = C’s password

x = private key

v = host’s password verifier

a, b = ephemeral private keys

A, B = corresponding public keys to a, b

K = session key