Confirm
471
edits
Changes
m
→SRP Server-side Sign-In Flow: emphasize importance of keeping 'b' secret
=== SRP Server-side Sign-In Flow ===
When the user connects a new device to their account, they use the getToken1() API to start the SRP protocol. This sends the account email address to the server. The server looks up the stored srpVerifier for this account, creates a random 'b' integer, performs some math to compute the "B" number, then converts B into a string known as "srpB". "srpB" is returned to the client, along with srpSalt and the key-stretching parameters. "b" and "srpB" are retained for the subsequent getToken2() call. '''Note that it is critical that the "b" integer remain secret on the server.'''
[[File:PICL-IdPAuth-SRP-Server.png|server--side SRP]]
