Assess of possible verifier leak vulnerability
Issue #14
resolved
Hello,
According to this article a missing modulo N in the computation of B could be exploited to leak part of the verifier.
Looking at the routine used for the computation of B, it looks like the implementation is subject to the issue.
Could you have a critical evaluation of the article in regard of the current Nimbus implementation?
Thanks Best Regards, Bernard.
Comments (3)
-
-
- changed status to resolved
Closing as a code looks okay.
-
Of historic interest a comment by @vdzhuvinov within the body of SRP6Routines#computePublicServerValue says that the Nimbus code differs from the Bouncy Castle SRP library exactly because that other Java library has the bug in question. It also comments that Nimbus is applying the
mod(N)correctly which is present within the Stanford SRP demo code written by Tom Wu. - Log in to comment
Hi Bernard,
Looking at the B code at
SRP6Routines.computePublicServerValue(...)it is:That has the final mod and stepping through the Java code running the unit tests it does the math as per the article you posted which is:
Checking the test coverage by breaking that logic it fails a test
SRP6RoutinesTest.testComputePublicServerValue(...)which runs test vectors against the code the logic. The test says it took the test vectors from http://srp.stanford.edu/demo/demo.html although it requires Java applets to enable to run. Checking that stanford demo pages source to check how it does it does the math it has the same logic :` function recalc_B() { var bb = g.modPow(b, N); B = bb.add(v.multiply(k)).mod(N); osync_B(); }I noticed that if I demo page is copyright of the SRP inventor Tom Wu. Of course it isn't signed by his public key so the page may have been tamped with; but I everything look okay with respect to the calculation ofBwith respect to the article you reference.You say you think that the implementation misses the final mod(N). Can you give me a URL to the source you are looking at?
Thanks
Simon