I am currently working on a project which involves authenticating users securely. I've been reading about SRP a lot, and still haven't managed to get my around the core concepts. I would be grateful if you could explain the idea, and implementation of SRP in laymen terms.
Note: Please don't post links to websites about SRP, as I'm sure I've googled and read most of them; unless it's a paper explaining SRP in a lucid language.
preguntado el 09 de enero de 11 a las 11:01
Start with both parties already having agreed a password.
In the first part of the protocol, both sides generate a random number and use some neat maths involving that and the password to agree a randomised shared secret. This is done in such a way that it's different every time (even though the password is the same), nobody listening on the wire can determine the shared secret, and it only works if both sides know the password. (The maths involved is based on the discrete logarithm problem, closely related to Diffie-Hellman.)
The parties then go on to prove to each other that they have both agreed the same shared secret (i.e. they both know the password), again without disclosing it to anybody listening. This takes more (different) neat maths.
Provided both sides are satisfied that they have the same shared secret, they can then derive session keys from it and start communicating under their choice of cipher.