On Thu, Aug 21, 2008 at 3:52 AM, Dirk Meyer <[EMAIL PROTECTED]> wrote: > Hi, > > I have two questions if I understand RFC 5054 correctly. In our > scenario we have two clients with unverified certificates and a shared > secret we use as password. One acts as TLS client, the other as TLS > server. Now I want to be sure that not only the TLS server can verify > the client knows the password but also the other way around. Looking > at the RFC I see that the premaster secret is calculated by both > parties using x with x = SHA1(s | SHA1(I | ":" | P)) and P is the > password. The server uses this indirectly by using v and v = g^x % N > > So am I understanding this correct that BOTH will notice it when the > other does not know the password?
Yes. Technically the server doesn't know the password but rather a "verifier" that's derived from the password. This protects the client to some extent if he uses the same password with multiple servers. -Ekr
