Confirm
471
edits
Changes
include new SRP salt when resetting the account
= Resetting the Account =
resetAccount() needs request confidentiality, since the arguments include the newly wrapped kB value and the new SRP verifier, both of which enable a brute-force attack against the password. HAWK provides request integrity. The response is a single "ok" or "fail", conveyed by the HTTP headers, so we do not require response confidentiality, and can live without response integrity.
The request data will contain kA, wrap(kB), a new (randomly-generated) SRP salt, and the new SRP verifier, all concatenated together. The first two three pieces are fixed-length. We generate enough reqXORkey bytes to cover all three four values.
[[File:PICL-IdPAuth-resetAccount.png|Deriving the resetAccount Keys]]
