passwd salt iteration nonce
| | | |________________________________________,
V V V | |
Hi( *, *, * ) = SaltedPassword ---------------------------------)----------, |
| | | |
V | V |
HMAC(key, "Client Key") = ClientKey | HMAC(key, "Server Key") = ServerKey |
| | | | |
| V | | |
| H(*) = StoredKey | | |
| | | | |
| V V V V
| HMAC(key, str) = ClientSignature HMAC(key, str) = ServerSignature
| |
V___________________________V
XOR
|
V
ClientProof
Server:
exchange nonce
recv ClientProof
StoredKey = authDB[username]
ClientSignature = HMAC(StoredKey, nonce)
ClientKey = ClientProof XOR ClientSignature
if H(ClientKey) == StoredKey then
OK // the client knows the correct ClientKey.
else
NG
HMAC(key, str): Apply the HMAC keyed hash algorithm
H(str): Apply the cryptographic hash function
Hi(str, salt, i):
U1 := HMAC(str, salt + INT(1))
U2 := HMAC(str, U1)
...
Ui-1 := HMAC(str, Ui-2)
Ui := HMAC(str, Ui-1)
Hi := U1 XOR U2 XOR ... XOR Ui
- https://tools.ietf.org/html/rfc5802
- https://tools.ietf.org/html/rfc7804
- https://pgday.ru/presentation/197/59648e3c2ced0.pdf
