From 693b6d1e36828fa17915a9297595f65c739b611a Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 4 Oct 2012 09:54:47 +0200 Subject: using BIG_PRIME_N and hashing the byte array - tests pass We still calculate M differently than in SRP 6a --- lib/srp/authentication.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/srp/authentication.rb') diff --git a/lib/srp/authentication.rb b/lib/srp/authentication.rb index 4afe20b..0505a58 100644 --- a/lib/srp/authentication.rb +++ b/lib/srp/authentication.rb @@ -13,18 +13,18 @@ module SRP @aa = aa @b = bigrand(32).hex # B = g^b + k v (mod N) - @bb = (modpow(GENERATOR, @b, PRIME_N) + multiplier * verifier) % PRIME_N + @bb = (modpow(GENERATOR, @b, BIG_PRIME_N) + multiplier * verifier) % BIG_PRIME_N end def u - calculate_u(aa, bb, PRIME_N) + calculate_u(aa, bb, BIG_PRIME_N) end # do not cache this - it's secret and someone might store the # session in a CookieStore def secret(verifier) - base = (modpow(verifier, u, PRIME_N) * aa) % PRIME_N - modpow(base, @b, PRIME_N) + base = (modpow(verifier, u, BIG_PRIME_N) * aa) % BIG_PRIME_N + modpow(base, @b, BIG_PRIME_N) end def m1(verifier) -- cgit v1.2.3 From b889ef34d4fff0d156901ae2aebfcee02339ce77 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 4 Oct 2012 10:22:46 +0200 Subject: some cleanup, sha functions now concat multiple args also u does not depend on n --- lib/srp/authentication.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/srp/authentication.rb') diff --git a/lib/srp/authentication.rb b/lib/srp/authentication.rb index 0505a58..0fd275c 100644 --- a/lib/srp/authentication.rb +++ b/lib/srp/authentication.rb @@ -17,7 +17,7 @@ module SRP end def u - calculate_u(aa, bb, BIG_PRIME_N) + calculate_u(aa, bb) end # do not cache this - it's secret and someone might store the -- cgit v1.2.3 From c73f7c1b4c1270d4d0ca47650a12893a6d13e796 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 4 Oct 2012 10:32:39 +0200 Subject: simplifying modpow to default to BIG_PRIME_N --- lib/srp/authentication.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lib/srp/authentication.rb') diff --git a/lib/srp/authentication.rb b/lib/srp/authentication.rb index 0fd275c..3428fd4 100644 --- a/lib/srp/authentication.rb +++ b/lib/srp/authentication.rb @@ -13,7 +13,7 @@ module SRP @aa = aa @b = bigrand(32).hex # B = g^b + k v (mod N) - @bb = (modpow(GENERATOR, @b, BIG_PRIME_N) + multiplier * verifier) % BIG_PRIME_N + @bb = (modpow(GENERATOR, @b) + multiplier * verifier) % BIG_PRIME_N end def u @@ -23,8 +23,8 @@ module SRP # do not cache this - it's secret and someone might store the # session in a CookieStore def secret(verifier) - base = (modpow(verifier, u, BIG_PRIME_N) * aa) % BIG_PRIME_N - modpow(base, @b, BIG_PRIME_N) + base = (modpow(verifier, u) * aa) % BIG_PRIME_N + modpow(base, @b) end def m1(verifier) -- cgit v1.2.3 From 0e5f57d3e07db606a779485e1537d4db8b5d3da2 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 4 Oct 2012 11:23:00 +0200 Subject: created session class to hold aa, bb and so forth - done for client We have a session in the server already - duplication there now, merge next --- lib/srp/authentication.rb | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'lib/srp/authentication.rb') diff --git a/lib/srp/authentication.rb b/lib/srp/authentication.rb index 3428fd4..c87fe1d 100644 --- a/lib/srp/authentication.rb +++ b/lib/srp/authentication.rb @@ -17,7 +17,7 @@ module SRP end def u - calculate_u(aa, bb) + @u ||= calculate_u end # do not cache this - it's secret and someone might store the @@ -28,11 +28,20 @@ module SRP end def m1(verifier) - calculate_m(aa, bb, secret(verifier)) + calculate_m(secret(verifier)) end def m2(m1, verifier) - calculate_m(aa, m1, secret(verifier)) + sha256_int(@aa, m1, secret(verifier)).hex + end + + protected + def calculate_u + sha256_int(@aa, @bb).hex + end + + def calculate_m(s) + sha256_int(@aa, @bb, s).hex end end -- cgit v1.2.3 From 777254f7ba10a0dd8fbee433e6a631d96e9d76f0 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 4 Oct 2012 11:48:38 +0200 Subject: moved all server side auth stuff into session so i can remove the authentication module --- lib/srp/authentication.rb | 68 ----------------------------------------------- 1 file changed, 68 deletions(-) delete mode 100644 lib/srp/authentication.rb (limited to 'lib/srp/authentication.rb') diff --git a/lib/srp/authentication.rb b/lib/srp/authentication.rb deleted file mode 100644 index c87fe1d..0000000 --- a/lib/srp/authentication.rb +++ /dev/null @@ -1,68 +0,0 @@ -require File.expand_path(File.dirname(__FILE__) + '/util') - -module SRP - module Authentication - - include Util - - class Session - include Util - attr_accessor :aa, :bb - - def initialize(aa, verifier) - @aa = aa - @b = bigrand(32).hex - # B = g^b + k v (mod N) - @bb = (modpow(GENERATOR, @b) + multiplier * verifier) % BIG_PRIME_N - end - - def u - @u ||= calculate_u - end - - # do not cache this - it's secret and someone might store the - # session in a CookieStore - def secret(verifier) - base = (modpow(verifier, u) * aa) % BIG_PRIME_N - modpow(base, @b) - end - - def m1(verifier) - calculate_m(secret(verifier)) - end - - def m2(m1, verifier) - sha256_int(@aa, m1, secret(verifier)).hex - end - - protected - def calculate_u - sha256_int(@aa, @bb).hex - end - - def calculate_m(s) - sha256_int(@aa, @bb, s).hex - end - - end - - def initialize_auth(aa) - return Session.new(aa, verifier) - end - - def authenticate!(m, session) - authenticate(m, session) || raise(SRP::WrongPassword) - end - - def authenticate(m, session) - if(m == session.m1(verifier)) - return session.m2(m, verifier) - end - end - - - end - -end - - -- cgit v1.2.3