Random number generation isn't to RFC 5054

The RFC says that the b should be at least 256 bits and in the range [1,N) inclusive. The logic SRP6Routines::generatePrivateValue for N>512bits generates a value in the range [1<<256,N) which is is a narrower than the range allowable by the RFC. To do this it has a quite a sophisticated looping logic which samples random BigIntegers to find one in that range with some logic to handle corner cases.

A better way to calculate this would be to generate a random BigInteger using its constructor R = new BigInteger(N.bitLength(), secureRandom) then R.mod(N) that to get the random number and only loop if it is zero. There is then only an extremely low probability of looping if the randomly generated R is exactly N. It will also use the full range [1,N).

Comments (4)