passwd salt iteration                                            nonce
    |   |    |                                                     |________________________________________,
    V   V    V                                                     |                                        |
Hi( *,  *,   * ) = SaltedPassword ---------------------------------)----------,                             |
                          |                                        |          |                             |
                          V                                        |          V                             |
                    HMAC(key, "Client Key") = ClientKey            |    HMAC(key, "Server Key") = ServerKey |
                                               |    |              |                                   |    |
                                               |    V              |                                   |    |
                                               |  H(*) = StoredKey |                                   |    |
                                               |              |    |                                   |    |
                                               |              V    V                                   V    V
                                               |        HMAC(key, str) = ClientSignature         HMAC(key, str) = ServerSignature
                                               |                           |
                                               V___________________________V
                                              XOR
                                               |
                                               V
                                          ClientProof

Server:
  exchange nonce
  recv ClientProof
  StoredKey = authDB[username]
  ClientSignature = HMAC(StoredKey, nonce)
  ClientKey = ClientProof XOR ClientSignature
  if H(ClientKey) == StoredKey then
      OK // the client knows the correct ClientKey.
  else
      NG



HMAC(key, str): Apply the HMAC keyed hash algorithm
H(str): Apply the cryptographic hash function
Hi(str, salt, i):

 U1   := HMAC(str, salt + INT(1))
 U2   := HMAC(str, U1)
 ...
 Ui-1 := HMAC(str, Ui-2)
 Ui   := HMAC(str, Ui-1)

 Hi := U1 XOR U2 XOR ... XOR Ui

jambow