Cryptography
Updated Fri, 01 Jul 2022 22:01:20 GMT

# Why does SRP-6a use k = H(N, g) instead of the k = 3 in SRP-6?

I've been reading up on the Secure Remote Pasword protocol (SRP). There are a couple different versions of the protocol (the original published version being designated SRP-3, with two subsequent enhancements 6 and 6a).

There was a very limited attack on version 3, where the attacker could submit two password guesses per falsified attempt against the server instead of just one. This was because in step 2 where the client submits ($$g^x + g^b$$) to the server, they could in fact set $$b$$ to be a second password guess, and since the server doesn't have the password, it can't tell that $$b$$ isn't randomly chosen (like it's supposed to be). The attack and remedy are detailed in the paper for SRP-6.

The remedy described in SRP-6 is that the client send $$kg^x + g^b$$ instead, where $$k = 3$$. However, there is also a version SRP-6a (which is the version detailed on the page above), which sets $$k = H(N, g)$$. Since both $$N$$ and $$g$$ are publicly known values ($$N$$ is a large safe prime, and $$g$$ is it's generator), and the $$(g,N)$$ group is used for all transactions in a given SRP system (independent of password, user or session), $$k$$ is still a constant value.

So the question is, what's the justification/benefit of picking this alternate value $$H(N,g)$$ for $$k$$? This value of $$k$$ is used in the TLS/SRP implementation, but I haven't found any explanation for why.

## Solution

If k is a constant, such as 3, it becomes possible to select a pair (N,g) such that the discrete log of k to the base g is known, which would enable the two-for-one guessing attack again.