SRP-6a
RFC2945
A Comparison of the Password-Authenticated Key Exchange Protocols, SRP-6a and PAKE2+
\[ \begin{align}\begin{aligned}k是双方都知道的整数值\\U : salt = s, x = hash(pwd, s), v = g^x
S记录了与U关联的salt = s, v\\U生成随机数a
U -> S: A = g^a, Username\\S根据Username取出对应的s, v
S生成随机数b
S计算: B = k*v + g^b
u = hash(A, B)
S = ( A * v^u )^b
K = hash(S)
S -> U : s, B\\U计算: u = hash(A, B)
x = hash(pwd, s)
S = ( B - k*g^x )^(a + u*x)
= ( k*v + g^b - k*v )^(a + u*x)
= g^(b * (a + u*x))
= (g^a * g^(x*u) )^b
= (A * v^u)^b
K = hash(S)
M1 = hash(A, B, K)\end{aligned}\end{align} \]