Class SRP6Routines
- All Implemented Interfaces:
Serializable
The routines comply with RFC 5054 (SRP for TLS), with the following exceptions:
- The computation of the password key 'x' is modified to omit the user identity 'I' in order to allow for server-side user identity renaming as well as authentication with multiple alternate identities.
- The evidence messages 'M1' and 'M2' are computed according to Tom Wu's paper "SRP-6: Improvements and refinements to the Secure Remote Password protocol", table 5, from 2002.
This class contains portions of code from Bouncy Castle's SRP6 implementation.
- See Also:
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncomputeClientEvidence
(MessageDigest digest, BigInteger A, BigInteger B, BigInteger S) Computes the client evidence message M1 = H(A | B | S)computeK
(MessageDigest digest, BigInteger N, BigInteger g) Computes the SRP-6 multiplier k = H(N | PAD(g))Computes the public client value A = g^a (mod N)computePublicServerValue
(BigInteger N, BigInteger g, BigInteger k, BigInteger v, BigInteger b) Computes the public server value B = k * v + g^b (mod N)protected BigInteger
computeServerEvidence
(MessageDigest digest, BigInteger A, BigInteger M1, BigInteger S) Computes the server evidence message M2 = H(A | M1 | S)computeSessionKey
(BigInteger N, BigInteger v, BigInteger u, BigInteger A, BigInteger b) Computes the session key S = (A * v^u) ^ b (mod N) from server-side parameters.computeSessionKey
(BigInteger N, BigInteger g, BigInteger k, BigInteger x, BigInteger u, BigInteger a, BigInteger B) Computes the session key S = (B - k * g^x) ^ (a + u * x) (mod N) from client-side parameters.computeU
(MessageDigest digest, BigInteger N, BigInteger A, BigInteger B) Computes the random scrambling parameter u = H(PAD(A) | PAD(B))computeVerifier
(BigInteger N, BigInteger g, BigInteger x) Computes a verifier v = g^x (mod N)computeX
(MessageDigest digest, byte[] salt, byte[] password) Computes x = H(s | H(P))generatePrivateValue
(BigInteger N, SecureRandom random) Generates a random SRP-6a client or server private value ('a' or 'b') which is in the range [1,N-1] generated by a random number of at least 256 bits.static byte[]
generateRandomSalt
(int numBytes) Generates a random salt 's'.static byte[]
generateRandomSalt
(int numBytes, SecureRandom random) Generates a random salt 's'.protected byte[]
getPadded
(BigInteger n, int length) Pads a big integer with leading zeros up to the specified length.protected BigInteger
hashPaddedPair
(MessageDigest digest, BigInteger N, BigInteger n1, BigInteger n2) Hashes two padded values 'n1' and 'n2' where the total length is determined by the size of N.boolean
isValidPublicValue
(BigInteger N, BigInteger value) Validates an SRP6 client or server public value ('A' or 'B').
-
Constructor Details
-
SRP6Routines
public SRP6Routines()
-
-
Method Details
-
computeK
Computes the SRP-6 multiplier k = H(N | PAD(g))Specification: RFC 5054.
- Parameters:
digest
- The hash function 'H'. Must not benull
.N
- The prime parameter 'N'. Must not benull
.g
- The generator parameter 'g'. Must not benull
.- Returns:
- The resulting multiplier 'k'.
-
generateRandomSalt
public static byte[] generateRandomSalt(int numBytes) Generates a random salt 's'.- Parameters:
numBytes
- The number of bytes the salt 's' must have.- Returns:
- The salt 's' as a byte array.
-
generateRandomSalt
Generates a random salt 's'.- Parameters:
numBytes
- The number of bytes the salt 's' must have.random
- A secure random number generator- Returns:
- The salt 's' as a byte array.
-
computeX
Computes x = H(s | H(P))Note that this method differs from the RFC 5054 recommendation which includes the user identity 'I', i.e. x = H(s | H(I | ":" | P))
- Parameters:
digest
- The hash function 'H'. Must not benull
.salt
- The salt 's'. Must not benull
.password
- The user password 'P'. Must not benull
.- Returns:
- The resulting 'x' value.
-
computeVerifier
Computes a verifier v = g^x (mod N)Specification: RFC 5054.
- Parameters:
N
- The prime parameter 'N'. Must not benull
.g
- The generator parameter 'g'. Must not benull
.x
- The password key 'x', seecomputeX(java.security.MessageDigest, byte[], byte[])
. Must not benull
.- Returns:
- The resulting verifier 'v'.
-
generatePrivateValue
Generates a random SRP-6a client or server private value ('a' or 'b') which is in the range [1,N-1] generated by a random number of at least 256 bits.Specification: RFC 5054.
- Parameters:
N
- The prime parameter 'N'. Must not benull
.random
- Source of randomness. Must not benull
.- Returns:
- The resulting client or server private value ('a' or 'b').
-
computePublicClientValue
Computes the public client value A = g^a (mod N)Specification: RFC 5054.
- Parameters:
N
- The prime parameter 'N'. Must not benull
.g
- The generator parameter 'g'. Must not benull
.a
- The private client value 'a'. Must not benull
.- Returns:
- The public client value 'A'.
-
computePublicServerValue
public BigInteger computePublicServerValue(BigInteger N, BigInteger g, BigInteger k, BigInteger v, BigInteger b) Computes the public server value B = k * v + g^b (mod N)Specification: RFC 5054.
- Parameters:
N
- The prime parameter 'N'. Must not benull
.g
- The generator parameter 'g'. Must not benull
.k
- The SRP-6a multiplier 'k'. Must not benull
.v
- The password verifier 'v'. Must not benull
.b
- The private server value 'b'. Must not benull
.- Returns:
- The public server value 'B'.
-
isValidPublicValue
Validates an SRP6 client or server public value ('A' or 'B').Specification: RFC 5054.
- Parameters:
N
- The prime parameter 'N'. Must not benull
.value
- The public value ('A' or 'B') to validate.- Returns:
true
on successful validation, elsefalse
.
-
computeU
Computes the random scrambling parameter u = H(PAD(A) | PAD(B))Specification: RFC 5054.
- Parameters:
digest
- The hash function 'H'. Must not benull
.N
- The prime parameter 'N'. Must not benull
.A
- The public client value 'A'. Must not benull
.B
- The public server value 'B'. Must not benull
.- Returns:
- The resulting 'u' value.
-
computeSessionKey
public BigInteger computeSessionKey(BigInteger N, BigInteger g, BigInteger k, BigInteger x, BigInteger u, BigInteger a, BigInteger B) Computes the session key S = (B - k * g^x) ^ (a + u * x) (mod N) from client-side parameters.Specification: RFC 5054
- Parameters:
N
- The prime parameter 'N'. Must not benull
.g
- The generator parameter 'g'. Must not benull
.k
- The SRP-6a multiplier 'k'. Must not benull
.x
- The 'x' value, seecomputeX(java.security.MessageDigest, byte[], byte[])
. Must not benull
.u
- The random scrambling parameter 'u'. Must not benull
.a
- The private client value 'a'. Must not benull
.B
- The public server value 'B'. Must note benull
.- Returns:
- The resulting session key 'S'.
-
computeSessionKey
public BigInteger computeSessionKey(BigInteger N, BigInteger v, BigInteger u, BigInteger A, BigInteger b) Computes the session key S = (A * v^u) ^ b (mod N) from server-side parameters.Specification: RFC 5054
- Parameters:
N
- The prime parameter 'N'. Must not benull
.v
- The password verifier 'v'. Must not benull
.u
- The random scrambling parameter 'u'. Must not benull
.A
- The public client value 'A'. Must not benull
.b
- The private server value 'b'. Must not benull
.- Returns:
- The resulting session key 'S'.
-
computeClientEvidence
public BigInteger computeClientEvidence(MessageDigest digest, BigInteger A, BigInteger B, BigInteger S) Computes the client evidence message M1 = H(A | B | S)Specification: Tom Wu's paper "SRP-6: Improvements and refinements to the Secure Remote Password protocol", table 5, from 2002.
- Parameters:
digest
- The hash function 'H'. Must not benull
.A
- The public client value 'A'. Must not benull
.B
- The public server value 'B'. Must note benull
.S
- The session key 'S'. Must not benull
.- Returns:
- The resulting client evidence message 'M1'.
-
computeServerEvidence
protected BigInteger computeServerEvidence(MessageDigest digest, BigInteger A, BigInteger M1, BigInteger S) Computes the server evidence message M2 = H(A | M1 | S)Specification: Tom Wu's paper "SRP-6: Improvements and refinements to the Secure Remote Password protocol", table 5, from 2002.
- Parameters:
digest
- The hash function 'H'. Must not benull
.A
- The public client value 'A'. Must not benull
.M1
- The client evidence message 'M1'. Must not benull
.S
- The session key 'S'. Must not benull
.- Returns:
- The resulting server evidence message 'M2'.
-
hashPaddedPair
protected BigInteger hashPaddedPair(MessageDigest digest, BigInteger N, BigInteger n1, BigInteger n2) Hashes two padded values 'n1' and 'n2' where the total length is determined by the size of N.H(PAD(n1) | PAD(n2))
- Parameters:
digest
- The hash function 'H'. Must not benull
.N
- Its size determines the pad length. Must not benull
.n1
- The first value to pad and hash.n2
- The second value to pad and hash.- Returns:
- The resulting hashed padded pair.
-
getPadded
Pads a big integer with leading zeros up to the specified length.- Parameters:
n
- The big integer to pad. Must not benull
.length
- The required length of the padded big integer as a byte array.- Returns:
- The padded big integer as a byte array.
-