Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

Secure Remote Password Protocol

A typical implementation of SRP works by applying a function to a password chosen by the user to generate what is known as a ‘verifier’. The verifier is sent once to the financial institution’s server where it is stored.

Each time the user needs to log-in, they enter their username and password. However the password, unlike the username, is not sent to the financial institution’s server. The password is instead used by the customer’s computer to generate the verifier referred to earlier. The financial institution’s server and the customer’s computer then generate random values and exchange these. Using the combination of the verifier (which the customer’s computer has generated and the financial institution’s server should already have a copy of) and both sets of random values, each party is able to produce a congruent session key that can be used to encrypt communications. Each party then proves it has the same session key by producing a hash of that key and sending it to the other party along with the random values provided by that other party. Both the customer and financial institution have thus proven they hold the correct verifier without actually sharing it, facilitating a process of mutual authentication and significantly reducing the possibility of a fraudulent third party being able to use an end-user’s password to initiate a replay attack.