Confirm
471
edits
Changes
→Resetting the Account
The current stub just submits (newPassword, wrap(kB), resetToken). This will be replaced soon.
resetAccount() needs request confidentiality, since the arguments include the newly wrapped kB value and the new SRP verifier, both of which enable a brute-force attack against the password. HAWK provides request integrity. The response is a single "ok" or "fail", conveyed by the HTTP headers, so we do not require response confidentiality, and can live without response integrity.
So the single-use resetToken is used to derive three values:
* tokenID
* request XOR key
* request HMAC key
The request data is XORed with requestXORkey, then delivered in the body of a HAWK request that uses tokenID as credentials.id and requestHMACkey as credentials.key . Note: it is very important to include the request body in the HAWK integrity check (options.payload=true, on both client and server).
[[File:PICL-IdPAuth-decryptResponse.png|Decrypting the Response]]
= Creating the Account =
