Internet-Draft | EAP SHA256 SRP6a | November 2022 |
Ammirata, et al. | Expires 27 May 2023 | [Page] |
This document describes an authentication protocol intended for Internet applications which may require a robust and non-leaky exchange of credentials even under adverse network conditions. The protocol has the ability to recover from packet loss during the authentication process, as for example, should the Internet application use the UDP transport protocol under lossy network conditions. It does so by allowing the retransmission of lost packets during authentication. The protocol follows the Extensible Authentication Protocol (RFC 3748 and RFC 5247) framework, which allows for the use of multiple authentication mechanisms. It utilizes Secure Remote Password protocol (RFC 2945), with strong, password-based cryptographic hashing. It utilizes the Secure Hashing Algorithm message digest algorithm as the hashing mechanism. The authentication protocol allows for one Server and one or more Clients. Where multiple Clients exist, each may communicate only with the Server. Clients initiate the authentication exchange process. Until the authentication completes successfully, the Server and Client ignore/discard any packets except those supporting the authentication process. The authentication algorithm is based on a username/password or passphrase pair. These are used to generate secure ephemeral keys. The Server has a store of all valid usernames and password hashes. Each Client stores its own username and password. The authentication algorithm provides for each side to prove to the other that it has a valid username/password or passphrase pair, in a way that a third-party monitoring the transactions could not use intercepted information to later successfully authenticate. This mutual authentication exchange consists of several pairs of interactions. The first is a request for authentication by the Client, containing the Client name, to which the Server responds with a challenge for its identity. The Client responds with the Server name for verification purposes. Thereafter, Client and Server each exchange three values consisting of password salts, ephemeral public keys, and hash values. These are generated and verified by Client and Server in accordance with SRP against the stored password/passphrase hashes. While any step in the process may be repeated to provide for dropped packets should a response not be received, the authentication process is terminated by any incorrect value received in any response. Multicast UDP authentication is also supported, with certain limitations.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 May 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The method described in this document is designed for network applications desiring an authentication protocol in which a robust, mutual, and non-leaky exchange of credentials is required.¶
For each authentication instance, the model is as follows:¶
This document is consistent with RFC 2119 Internet Best Current Practices regarding key words for use in RFCs to indicate requirements levels.¶
The packets described in this document are EAP packets, encapsulated using EtherType 0x888E. This section describes three encapsulation methods for the EAP packets, as follows:¶
When using Layer-2 Encapsulation, the EAP packets described in this document are encapsulated in Ethernet packets with EtherType 0x888E, as shown in Figure A.¶
Figure A: Layer-2 Encapsulation¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Destination MAC Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Source MAC Address |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ethertype=0x888E | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ EAP Packet |
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
When using Layer-3 Encapsulation, the EAP packets described in this document are encapsulated using GRE over IP as per RFC 2784 [RFC2784] as shown in Figure B. Packet encryption shall not be used.¶
Figure B: Layer-3 Encapsulation¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: IP Header with Protocol=47 (GRE) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: GRE Header with Protocol Type = 0x888E :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: EAP Packet :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
When using Layer-4 Encapsulation, the EAP packets described in this document are encapsulated using GRE over UDP as per [RFC8086], with the following modifications:¶
The encapsulation is shown in Figure C.¶
Figure C: Layer-4 Encapsulation¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: IP Header with Protocol=17 (UDP) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: UDP Header :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: GRE Header with Protocol Type = 0x888E :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: EAP Packet :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fundamentally, the authentication algorithm is based on a username/password pair. The Server has a list of all the usernames and passwords (in a secure format); an authorized Client knows its username and password as well. The authentication algorithm provides a secure way for the Client to prove to the Server that it knows a valid username/password pair, in a way that a third-party monitoring the transactions cannot use the information exchanged to later successfully login to the Server. It also provides a secure way for the Client to authenticate the Server. Finally, the algorithm also generates a common strong ephemeral shared key that may be used to encrypt future unicast communication between the authenticated Client and the Server.¶
The algorithm is based on two fundamental values, the generator value "g" and the prime modulus "N". The Server may use different values of "g" and "N" per Client, since these values are communicated to the Client at the beginning of the negotiation. The following rules shall be observed:¶
In the algorithm description below, the following operations are used:¶
% Modulo operator (as in the C programming language); the remainder of a division. The notation x % y shall indicate the remainder of the division of "x" by "y".¶
^ Modulo "N" exponentiation. The notation x ^ y shall indicate the remainder of "x" to the power "y" when divided by the prime modulus "N". Example:
x = 2
y = 10
N = 263
x^y = (2^10) modulo 263 = 1024 modulo 263 = 235 (remainder of 1024/263)¶
| String concatenation. This operator creates a string that is a concatenation of its two arguments, in the same manner as the "strcat" function in a standard C library.¶
The algorithm shall use the SHA256 hashing algorithm. If multiple arguments are provided to the SHA256 function, this indicates that the arguments shall be concatenated, and the SHA256 function applied to the combined value. For example, SHA256(x, y) means "create a buffer with the contents of "x", followed by the contents of "y", and apply the SHA256 algorithm to the resulting buffer". When the SHA256 hash is applied to a string, the null terminator (if present) shall not be included in the hash computation.¶
For each Client, the Server shall select a random salt "s", containing at least four octets. If the Client password is denoted by "P" and the Client username by "I", the separator character being ":", use of said character shall be disallowed for use in "P" or "I". The Server shall compute the value "x" defined by:¶
x = SHA256(s, SHA256(I | ":" | P))¶
For each Client, the Server shall compute the password verifier "v" as follows:¶
v = g^x¶
The Server shall store the values "s" and "v" for each Client, indexed by the Client username "I". The Server should not store the cleartext password "P".¶
The Client starts the authentication process by contacting the Server using the EAPoL-Start message of section 4.2.1 (or any empty message, such as a keep-alive). The Server requests the Client username "I" using the Identity Request message of section 4.2.3.1, and the Client returns this information using the Identity Response message of section 4.2.3.1.¶
If the username "I" is known to the Server, the Server sends the corresponding "s", "g" and "N" values to the Client using the Challenge Request Packet of section 4.2.4.1. If the Client's username is not known to the Server, it may abort at this point or continue with fake values for "s", "g" and "N". This is described in detail in section 4.2.4.1.¶
Upon reception of the Challenge Request Packet, the Client caches the "s", "g", and "N" values, and generates a random number "a" between 1 and N-1. It then computes the value "A" as follows:¶
A = g^a¶
The value "A" is returned to the Server in the Client Key Response Packet of section 4.2.4.2. The Server caches this value for later use. Upon reception of the Client Key Response, the Server generates a random number "b" between 1 and N-1, and computes the value "B" as follows:¶
k = SHA256(N, g)
B = (kv + g^b) % N¶
The value "B" is returned to the Client in the Server Key Request Packet of section 4.2.4.3. Upon receiving the value "B", the Client performs the following computations:¶
u = SHA256(A, B)
x = SHA256(s, SHA256(I, ":", P))
k = SHA256(N, g)
S = ((B - kg^x) ^ (a +ux)) % N
K = SHA256(S)
M1 = SHA256(SHA256(N) xor SHA256(g), SHA256(I, s, A, B, K))¶
The value "M1" above is returned to the Server in the Client Validator Response Packet from section 4.2.4.4, and the Client caches the session key "K".¶
Upon receiving the "M1" value, the Server performs the following computations:¶
u = SHA256(A, B)
S = ((Av^u) ^ b) % N
K = SHA256(S)
M1 = SHA256(SHA256(N) xor SHA256(g), SHA256(I, s, A, B, K))¶
If the local "M1" calculation yields the same value as the received "M1" value, the Server shall consider the Client as authenticated. The Server computes the value "M2" as follows:¶
M2 = SHA256(A, M1, K)¶
The "M2" value is returned to the Client using the Server Validator Request Packet from section 4.2.4.5. Upon receiving this packet, the Client performs the same computation, and if the local calculation yields the same "M2" value as the received packet, the Client shall consider the Server authenticated.¶
This section describes the various packet formats used in the authentication process. The packet formats in the illustration follow a hierarchical structure based on GRE-encapsulated EAPoL packets. The hierarchy is depicted in Figure 1. The boxed items in Figure 1 represent the actual packets transmitted in the network at the various phases of the protocol and are documented in this section. All protocol transactions shall use unicast addressing between Server and Client.¶
Figure 1: Authentication Packet Format Hierarchy¶
: +------------+
¶
: |EAPoL Packet|
: +------------+
: / | \
: / | \
:+------------+ +------------+ +------------+
:| Start | | Logoff | | EAP Packet |
:+------------+ +------------+ +------------+
: / / | \
: --------------- / | \
: / / | \
: +------------+ +------------+ | \
: | Success | | Failure | | \
: +------------+ +------------+ +------------+ +------------+
: | Request | | Response |
: +------------+ +------------+
: | /
: | /
: ---------------
: / | \
: +---------+ +---------------+ +------------+
: | NAK | |EAP SRP SHA256 | | IDENTITY |
: +---------+ +---------------+ +------------+
: | |
: | |
: +------------------+ +------------------+
: | CHALLENGE | | CLIENT KEY |
: +------------------+ +------------------+
: | |
: +------------------+ +------------------+
: | SERVER KEY | | CLIENT VALIDATOR |
: +------------------+ +------------------+
: | |
: +------------------+ |
: | SERVER VALIDATOR | |
: +------------------+ |
: | |
: +------------------+ +------------------+
: | PASSPHRASE | | PASSPHRASE |
: +------------------+ +------------------+
Figure 2 shows the authentication packet format.¶
Figure 2: Authentication Packet Format¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: Packet Payload (EAPoL Type=0) :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The fields in Figure 2 are to be set as follows:¶
Figure 3 shows the packet payload format for EAPoL Type 0.¶
Figure 3: Packet Payload for EAPoL Type=0¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data (variable, depends on Code) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Set the fields in Figure 3 as follows:¶
Code (8 bits): set this field to identify the type of EAP packet, as follows:
0x01: Request
0x02: Response
0x03: Success
0x04: Failure
All other values: reserved. Receivers shall silently discard packets with these values.¶
Identifier (8 bits): this field is used to match responses with requests. The initial request shall select an arbitrary value for the request packet. The response shall use the same value in the response to that request, which may be a Response packet, a Success packet, or a Failure packet. The identifier shall be incremented by one at every new request message. It shall not be changed on a retransmission of a message. Any non-matching Response messages shall be discarded. As indicated in section 4, a full authentication exchange includes up to four distinct packets originated by the authentication Server. The authentication Server shall use four consecutive values for the Identifier field for full protocol exchange. Successive protocol exchanges for the same connection (identified by Client IP address and source UDP port) shall use non-overlapping Identifier values. Since the Identifier field is only 8 bits, the value 0x00 is deemed to follow the value 0xFF.¶
Length (16 bits): set this field to the length of the EAP packet, including the Code, Identifier, Length and the variable-size data. If the overall packet is longer than what is indicated by the length field, additional octets shall be ignored. If the overall packet is truncated (i.e., not enough octets received to satisfy the length field), the packet shall be discarded.¶
Data (variable): the data field is zero or more octets. The size and format of the data field depends on the Code field, as described below.¶
Figure 4 shows the packet payload format for Request (Code=0x01) and Response (Code=0x02) packets.¶
Figure 4: Packet Payload Format for Request/Response Packets¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 or 2 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Type-Data (variable, depends on Type) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Set the fields in Figure 4 as follows:¶
Type (8 bits): the Type field shall indicate the format of the messages used in the Request/Response exchanges. The following values are defined in this document:¶
0x01: Identity
0x03: Nak (only valid for Response packets, shall not be sent on Request packets)
0x13: EAP SRP-SHA256
All other values reserved.¶
Type-Data (variable): set this field depending on the Type value, as documented below.¶
Identity Request packets are sent from the Server to the Client. Upon reception of the Identity request packet, the Client shall answer with the Identity Response packet. In the Identity Request packet, the Server may include a displayable message in the Type-Data field. The Client shall return its identity as a string (typically the Username) in the Type-Data field. Strings shall not be null-terminated.¶
Figure 5: Identity Packets¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 or 2 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x01 | Message for Code=1, Username for Code=2
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nak Response Packets shall be sent in response to any unknown or unsupported requests. The Type-Data field shall be set to one octet with value 0x13, to indicate that only EAP SRP-SHA256 authentication is supported. The Nak response packet is shown in Figure 6.¶
Figure 6: Nak Response Packet¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length=6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=2 | Identifier | Length=6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x03 | Data=0x13 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 7 shows the packet formats for the EAP SRP-SHA256 packets.¶
Figure 7: EAP SRP-SHA256 Packet Formats¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 or 2 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype | :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Subtype-Data (variable) :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Set the fields in Figure 7 as follows:¶
Subtype (8 bits): the subtype field shall be set to one of the following values:¶
0x01: Challenge / Client Key
¶
0x02: Server Key / Client Validator
¶
0x03: Server Validator
¶
0x10: Passphrase Request / Response
¶
All other values reserved. If a device receives an unknown subtype, it shall respond with a packet of Type Nak.¶
Subtype Data (variable): set this field depending on the Type and Subtype values, as documented below.¶
The EAP SRP-SHA256 Challenge is a Request packet sent from the Server to the Client once the username has been received from the Client. It includes the unauthenticated Server name for verification purposes, the password salt "s", the generator value "g", and the prime modulus "N". The packet format is shown in Figure 8.¶
Figure 8: EAP SRP-SHA256 Challenge Packet¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x01 | Name Length |Name (variable):
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Salt Length | Salt (variable) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Gen Length | Generator (variable) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prime Modulus (variable) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Set the fields in the packet in Figure 8 as follows:¶
If the Prime Modulus field in Figure 8 is empty, the Client shall assume the value below for value "N". In this case, the Gen Length value shall be zero and the Generator value shall be assumed as "2". The value for "N" is:¶
0xAC, 0x6B, 0xDB, 0x41, 0x32, 0x4A, 0x9A, 0x9B, 0xF1, 0x66, 0xDE, 0x5E, 0x13, 0x89, 0x58, 0x2F, 0xAF, 0x72, 0xB6, 0x65, 0x19, 0x87, 0xEE, 0x07, 0xFC, 0x31, 0x92, 0x94, 0x3D, 0xB5, 0x60, 0x50, 0xA3, 0x73, 0x29, 0xCB, 0xB4, 0xA0, 0x99, 0xED, 0x81, 0x93, 0xE0, 0x75, 0x77, 0x67, 0xA1, 0x3D, 0xD5, 0x23, 0x12, 0xAB, 0x4B, 0x03, 0x31, 0x0D, 0xCD, 0x7F, 0x48, 0xA9, 0xDA, 0x04, 0xFD, 0x50, 0xE8, 0x08, 0x39, 0x69, 0xED, 0xB7, 0x67, 0xB0, 0xCF, 0x60, 0x95, 0x17, 0x9A, 0x16, 0x3A, 0xB3, 0x66, 0x1A, 0x05, 0xFB, 0xD5, 0xFA, 0xAA, 0xE8, 0x29, 0x18, 0xA9, 0x96, 0x2F, 0x0B, 0x93, 0xB8, 0x55, 0xF9, 0x79, 0x93, 0xEC, 0x97, 0x5E, 0xEA, 0xA8, 0x0D, 0x74, 0x0A, 0xDB, 0xF4, 0xFF, 0x74, 0x73, 0x59, 0xD0, 0x41, 0xD5, 0xC3, 0x3E, 0xA7, 0x1D, 0x28, 0x1E, 0x44, 0x6B, 0x14, 0x77, 0x3B, 0xCA, 0x97, 0xB4, 0x3A, 0x23, 0xFB, 0x80, 0x16, 0x76, 0xBD, 0x20, 0x7A, 0x43, 0x6C, 0x64, 0x81, 0xF1, 0xD2, 0xB9, 0x07, 0x87, 0x17, 0x46, 0x1A, 0x5B, 0x9D, 0x32, 0xE6, 0x88, 0xF8, 0x77, 0x48, 0x54, 0x45, 0x23, 0xB5, 0x24, 0xB0, 0xD5, 0x7D, 0x5E, 0xA7, 0x7A, 0x27, 0x75, 0xD2, 0xEC, 0xFA, 0x03, 0x2C, 0xFB, 0xDB, 0xF5, 0x2F, 0xB3, 0x78, 0x61, 0x60, 0x27, 0x90, 0x04, 0xE5, 0x7A, 0xE6, 0xAF, 0x87, 0x4E, 0x73, 0x03, 0xCE, 0x53, 0x29, 0x9C, 0xCC, 0x04, 0x1C, 0x7B, 0xC3, 0x08, 0xD8, 0x2A, 0x56, 0x98, 0xF3, 0xA8, 0xD0, 0xC3, 0x82, 0x71, 0xAE, 0x35, 0xF8, 0xE9, 0xDB, 0xFB, 0xB6, 0x94, 0xB5, 0xC8, 0x03, 0xD8, 0x9F, 0x7A, 0xE4, 0x35, 0xDE, 0x23, 0x6D, 0x52, 0x5F, 0x54, 0x75, 0x9B, 0x65, 0xE3, 0x72, 0xFC, 0xD6, 0x8E, 0xF2, 0x0F, 0xA7, 0x11, 0x1F, 0x9E, 0x4A, 0xFF, 0x73¶
The EAP SRP-SHA256 Client Key is a Response packet sent by the Client in response the Challenge packet described in section 4.2.4.1. The packet format is shown in Figure 9.¶
Figure 9: EAP SRP-SHA256 Client Key Packet Format¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=2 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x01 | Value A (variable) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Client shall set the fields in Figure 9 as follows:¶
Value A (variable): the result of g^a, where "a" is a randomly chosen number in the range 1 .. N (exclusive), as described in section 4.1. The randomly chosen number is the Client's private key, and the Value A field is the corresponding public key. This field shall be in network byte order and shall not be padded. The "A" value shall not be zero modulo N. If the Server receives a bad value for this field, it shall send a Failure packet described in section 4.2.5 and shall disconnect the link.¶
The EAP SRP-SHA256 Server Key is a Request packet sent by the Server after it has received the Client Key packet described in section 4.2.4.2. The packet format is shown in Figure 10.¶
Figure 10: EAP SRP-SHA256 Server Key Packet Format¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x02 | Value B (variable) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The fields in Figure 10 shall be set as follows:¶
Value B (variable): the result of (kv + g^b) % N, where "b" is a randomly chosen number in the range 1 .. N (exclusive), "v" is the stored verifier from the authentication database, and k=SHA256(N, g), as described in section 3.1. The randomly chosen number is the Server's private key, and the Value B field is the corresponding public key. This field shall be in network byte order and shall not be padded. The B value shall not be zero modulo N. If the Client receives a bad value for this field, it shall send a Failure packet described in section 4.2.5 and shall disconnect the link.¶
The EAP SRP-SHA256 Client Validator is a Response packet sent by the Client in response to the Server Key packet described in section 4.2.4.5. The packet format is shown in Figure 11.¶
Figure 11: EAP SRP-SHA256 Client Validator Packet Format¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=2 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x02 | Reserved1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |U| Value M1 (32 octets) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Client shall set the fields in Figure 11 as follows:¶
Upon reception of the Client Validator response, the Server shall compute the M1 value and check against the value that is received from the Client. If the value matches, the Client is deemed authenticated and the Server sends the Server Validator Request packet described in section 4.2.4.5. If the M1 value does not match, authentication has failed. The Server shall send the Failure packet described in section 4.2.5 and shall disconnect the link.¶
The EAP SRP-SHA256 Server Validator is a Request packet sent by the Server in response to the Client Validator packet described in section 4.2.4.4. The packet format is shown in Figure 12.¶
Figure 12: EAP SRP-SHA256 Server Validator Packet Format¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x03 | Reserved1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |U| Value M2 (32 octets) ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Server shall set the fields in Figure 12 as follows:¶
Upon reception of the Server Validator request, the Client shall compute the M2 value and check against what was received from the Server. If the value matches, the Server is deemed authenticated and the Client shall send the Success packet described in section 4.2.5 and the authentication process is complete. If the M2 value does not match, authentication has failed. The Client shall send the Failure packet described in section 4.2.5 and shall disconnect the link.¶
The EAP SRP-SHA256 Passphrase Request packet is used to request the passphrase currently in use. This packet may be used by the Client and/or the Server, as different passphrases may be in use on either communication direction. The packet format is shown in Figure 13.¶
Figure 13: EAP SRP-SHA256 Passphrase Request Packet¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length=6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=1 | Identifier | Length=6 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x10 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If used, this packet shall only be transmitted after both the Server and the Client have been authenticated. The recipient of the packet shall respond to it as follows:
¶
The EAP SRP-SHA256 Passphrase Response provides the passphrase, encrypted by the common session K. As indicated in section 4.2.4.6, this response is only issued if authentication has successfully completed. The packet format is shown in Figure 14.¶
Figure 14: EAP SRP-SHA256 Passphrase Response Packet¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=2 | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x13 | Subtype=0x10 |U|H| Reserved | :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ :
: Encrypted Passphrase (variable) ... :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The fields in Figure 14 shall be set as follows:¶
The recipient of the EAP SRP-SHA256 Passphrase Response packet shall acknowledge its reception by sending a Success packet (see section 4.2.5) with the same Identifier as the Passphrase Response packet being acknowledged.¶
If this protocol is to be used within an application employing an on-the-fly passphrase change mechanism, the side responsible for generating the passphrase may optionally send an unsolicited Passphrase Response Packet with a new passphrase. In such a situation, it shall use a value for the Identifier field that is different from the previous Passphrase Response packet. It shall not send a new passphrase until it starts using the passphrase from the last Passphrase Response packet to generate the key used to encrypt the stream. In a multicast environment, this same side is responsible for contacting all others that are selected to receive the new passphrase; the details of this process are left to the discretion of the implementer.¶
Figure 15 shows the packet format for Success (code 3) and Failure (code 4) packets. Such packets have no additional data. Set the Identifier to match the value of the corresponding Request/Response packet.¶
Figure 15: Packet Payload Format for Success/Failure Packets¶
:0 1 2 3
¶
:0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Version=3 | EAPoL Type=0 | Payload Length=4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code=3 or 4 | Identifier | Length=4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This section describes the authentication protocol exchanges. For each exchange, the Server selects a starting value for the 8-bit Identifier field as described in section 4.2.2, and increments this value for each successive request. In the protocol exchanges presented in this section, the starting value of the Identifier field is denoted by n.¶
Figure 16 shows the protocol exchange for a successful authentication exchange. The Client can start the process (message 1) using the EAPoL-Start message or any unsolicited message, such as a keep-alive packet.¶
Figure 16: Protocol Exchange for Successful Authentication¶
+----+----------------------------+---+----------------------------+
¶
| | Client | | Server |
| | Message | Doc | ID | | Message | Doc | ID |
+----+--------------+-------+-----+---+--------------+-------+-----+
| 1 | EAPoL-Start | 4.1 | | > | | | |
| 2 | | | | < | Identity Req | 4.3.1 | n |
| 3 | Identity Res | 4.3.1 | n | > | | | |
| 4 | | | | < | Challenge | 4.4.3 | n+1 |
| 5 | Client Key | 4.4.4 | n+1 | > | | | |
| 6 | | | | < | Server Key | 4.4.4 | n+2 |
| 7 | Client Val | 4.4.6 | n+2 | > | | | |
| 8 | | | | < | Server Val | 4.4.7 | n+3 |
| 9 | Success | 4.5 | n+3 | > | | | |
+----+----------------------------+---+----------------------------+
Figure 17 shows a possible protocol exchange for the case where the username is unknown to the Server. Use of this protocol exchange for unknown usernames allows a third party to "test" whether some usernames exist in the Server. If this is a concern, the protocol exchange shown in Figure 18 may be used instead, with the Server sending random data in messages 4 and 6.¶
Figure 17: Protocol Exchange for Unknown Username¶
+----+----------------------------+---+----------------------------+
¶
| | Client | | Server |
| | Message | Doc | ID | | Message | Doc | ID |
+----+--------------+-------+-----+---+--------------+-------+-----+
| 1 | EAPoL-Start | 4.1 | | > | | | |
| 2 | | | | < | Identity Req | 4.3.1 | n |
| 3 | Identity Res | 4.3.1 | n | > | | | |
| 4 | | | | < | Failure | 4.5 | n |
+----+--------------+-------+-----+---+--------------+-------+-----+
Figure 18 shows the protocol exchange when the Client authentication fails. This is determined at the Server when the value carried in the Client Validator packet in message 7 does not match the value computed by the Server. This will happen if the Client does not have the correct password. This exchange can also be used when the Client username does not exist in the Server, with random (fake) data in messages 4 and 6.¶
Figure 18: Protocol Exchange for Client Authentication Failure¶
+----+----------------------------+---+----------------------------+
¶
| | Client | | Server |
| | Message | Doc | ID | | Message | Doc | ID |
+----+--------------+-------+-----+---+--------------+-------+-----+
| 1 | EAPoL-Start | 4.1 | | > | | | |
| 2 | | | | < | Identity Req | 4.3.1 | n |
| 3 | Identity Res | 4.3.1 | n | > | | | |
| 4 | | | | < | Challenge | 4.4.3 | n+1 |
| 5 | Client Key | 4.4.4 | n+1 | > | | | |
| 6 | | | | < | Server Key | 4.4.4 | n+2 |
| 7 | Client Val | 4.4.6 | n+2 | > | | | |
| 8 | | | | < | Failure | 4.5 | n+2 |
+----+--------------+-------+-----+---+--------------+-------+-----+
Figure 18 shows the protocol exchange when the Server validation fails. This will likely only happen if the Client is connecting to a device who is impersonating the Server. Such a device will have no knowledge of the password; it can go through the steps and pretend they completed successfully, but at message 8, the Client detects that the Server validation has failed.¶
Message 9 in Figure 19 is at the option of the Client. If Server validation fails, the Client may simply stop communicating with the Server and may ignore all further messages from it.¶
Figure 19: Protocol Exchange for Server Authentication Failure¶
+----+----------------------------+---+----------------------------+
¶
| | Client | | Server |
| | Message | Doc | ID | | Message | Doc | ID |
+----+--------------+-------+-----+---+--------------+-------+-----+
| 1 | EAPoL-Start | 4.1 | | > | | | |
| 2 | | | | < | Identity Req | 4.3.1 | n |
| 3 | Identity Res | 4.3.1 | n | > | | | |
| 4 | | | | < | Challenge | 4.4.3 | n+1 |
| 5 | Client Key | 4.4.4 | n+1 | > | | | |
| 6 | | | | < | Server Key | 4.4.4 | n+2 |
| 7 | Client Val | 4.4.6 | n+2 | > | | | |
| 8 | | | | < | Server Val | 4.4.7 | n+3 |
| 9 | Failure | 4.5 | n+3 | > | | | |
+----+--------------+-------+-----+---+--------------+-------+-----+
In some situations, it is desirable to periodically re-authenticate the endpoints (Server and/or Client). If requested by the other endpoint, Server or Client shall respond to the re-authentication process described in this section. Server and Client may support initiating the re-authentication process.¶
During re-authentication, normal data exchange between Server and Client shall continue. If re-authentication fails, all communication between Server and Client shall stop.¶
To start re-authentication by Server request, the Server shall send an Identity Request packet (section 4.2.3.1) to the Client to start the process. This is packet 2 in Figure 16. The protocol will then follow the steps shown in Figure 16 for successful authentication, or Figure 17, Figure 18 or Figure 19 for authentication failures.¶
To start re-authentication by Client request, the Client shall send an EAPoL-Start packet (section 4.2.2) to the Server to start the process. This is packet 1 in Figure 16. The protocol will then follow the steps shown in Figure 16 for successful authentication, or Figure 17, Figure 18 or Figure 19 for authentication failures.¶
The re-authentication process will yield a new session key K. If either the Server and/or the Client signal the use of the session key K as the PSK passphrase by using the U bit in the messages described in sections 4.2.4.6 and/or 4.2.4.7, the protocol described in section 4.4 shall be used to switch to the new passphrase. If Server and/or Client are using the session key as the PSK passphrase, they are not required to set the U bit in the re-authentication session; in such a case, the original passphrase remains in use.¶
The interval between successive re-authentication sessions between a Server and a given Client shall be no less than 60 seconds.¶
The protocol described in this document runs over UDP. Therefore, it is possible for packets to be re-ordered, duplicated, or dropped.¶
The authentication process is driven by the Server. If an expected response is not received by a given timeout interval, the request is retried. The Server shall discard duplicate responses. After a certain number of retries, the Server shall discard all the information received and shall wait to be contacted again by the Client. The number of retries is left at the discretion of the implementer but should be no less than three. The timeout is also left at the discretion of the implementer. It is recommended that it be a multiple of the round-trip time between Server and Client.¶
As indicated in Figure 16, a successful authentication exchange requires four packets from the Server, and the first packet is the Identity Request (section 4.2.3.1). The Client shall save the Identifier from that message, which we will denote by n. The Client shall only respond to packets with Identifier in the range of n to n+3 and shall silently discard all packets with identifier values not in this range. If a Client receives a packet with an identifier value of k, with n < k less than or equal to n+3, the Client shall silently discard this packet if it has yet not received the packet with identifier k-1. If the last response the Client sent was for identifier k, with n < k less than or equal to n+3, and now the Client receives a packet with identifier m, with n less than or equal to m less than or equal to k, it shall re-send the original response for identifier m. During an authentication session, the random Server and Client keys shall not change. For example, if the Client receives a duplicate Challenge packet (message 4 in Figure 16), it shall re-send the same Client Key response as with the original request.¶
The Client shall implement a timeout mechanism for expected messages from the Server, until authentication completes. If a protocol message does not arrive by a given timeout interval, the Client shall restart the authentication process. This timeout is left to the discretion of the implementer and should be a multiple of the round-trip time.¶
For the Passphrase Request/Response messages in sections 4.2.4.6 and 4.2.4.7, the sender of each message shall implement a timeout mechanism after each message. If a response is not received by a given timeout interval, the message is retried. After a certain number of retries, the sender shall abort the process. The recovery mechanism in this case is left to the discretion of the implementer.¶
The mechanism described in this document can be used to provide authentication in a multicast streaming environment under the following conditions:¶
Operation is as follows:¶
The re-authentication process described in section 4.4 can be used in this multicast environment. As indicated in that section, the re-authentication can be started either by the Client or the Server.¶
If a Client-initiated re-authentication fails, the Client shall leave the multicast and stop processing the data.¶
Servers know which Clients are active due to the keep-alive messages. If the re-authentication fails with a subset of the receivers, the Server should change the PSK passphrase to remove their access. The process will happen as follows:¶
It is possible to use the authentication mechanism described in this document in a multi-link application. In this case, there are multiple links between the Server and the Client. The following considerations apply to multi-link operation, at the discretion of the implementer:¶
This section provides a numerical example of an authentication exchange. It is provided to allow implementations to be checked against known values. In the example below, all numeric values are presented in base 16 (hexadecimal). Underlined values are random numbers, bold values are computation results. The example uses the weakest legal modulus value (512-bit) for simplicity. Use of greater modulus length in actual implementations is encouraged.¶
The inputs for the algorithm in this example are:¶
The Server generates a random salt "s" for each username/password pair. In this example, the following salt value is used:¶
The Server computes the password verifier "v" as follows (see section 3.1):¶
For the example inputs, the values will be:¶
The Server stores the salt "s" and the verifier "v" indexed by the username "I". There is no need for the Server to store the password "P". Once this is in place, the Server is ready to authenticate the Client.¶
As illustrated in Figure 16, the Client starts the authentication process by sending the EAPoL-Start packet. The Server will send the Identity Request packet, and the Client will respond with the Identity Response packet, indicating the (in this example) "rist" username. The Server will then send the Challenge Request packet from section 4.2.4.1 containing the values "s", "g" and "N", which are cached by the Client.¶
The Client generates a random number "a" between 1 and N-1. In this example, the following value is used:¶
The Client uses the random value "a" to compute the Client key "A" using the following formula:¶
In this example, the Client key "A" value is computed as:¶
The Client key "A" is returned to the Server using the Client Key Response Packet from section 4.2.4.2. The Server checks that A % N is not zero and caches the value "A".¶
The Server generates a random number "b" between 1 and N-1. In this example, the following value is used:¶
The Server computes the Server key "B" as follows:¶
In this example, the Server key "B" is computed as follows:¶
The Server key "B" is sent to the Client using the Server Key Request Packet from section 4.2.4.5. Upon receiving this value, the Client performs the following computations:¶
The values "x" and "k" for this example have already been computed and their values can be found above. The remaining values are:¶
The Client caches the session "K" for possible future use as a passphrase and returns the validator value "M1" back to the Server using the Client Validator Response Packet from section 4.2.4.4.¶
Upon receiving the "M1" value from the Client, the Server computes its own version of "K" and "M1" using the following formulas:¶
If the "M1" value computed by the Server matches what it received from the Client, the Client is deemed authenticated. In this case, the session key "K" will also match. The Server computes its validator value "M2" as follows:¶
For this example, the value is:¶
The current document does not contain additional types or IDs for submission.¶
Not applicable.¶
This entire document describes a security protocol, based upon other security protocols, for optional use with other security mechanisms.¶
We acknowledge the editing assistance provided by John Iacovelli and Ciro Noronha. The description of this protocol was originally published by the Videos Services Forum [Video_Services_Forum] as part of a technical recommendation for the RIST error correction protocol.¶