Submitted by Giulio Cesare on 18 April, 2008 - 14:03.
Aleksey,
first let me fix a wrong assumption you wrote in your comment:
this “something” must be included in the index.html
This is not correct. The index.html file is a static file, and it is the same for everybody. No personal information is stored in it; this is not the case for the offline version, but I don’t think this is relevant for the moment.
Your credentials are compared with some data stored on the server, but thanks to the SRP protocol we can achieve this without sending the passphrase itself to the server. Only derivate values are transmitted; if you like some algebra, look here.
Re: How exactly my passpharse can never be sent to server?
Aleksey,
first let me fix a wrong assumption you wrote in your comment:
This is not correct. The index.html file is a static file, and it is the same for everybody. No personal information is stored in it; this is not the case for the offline version, but I don’t think this is relevant for the moment.
Your credentials are compared with some data stored on the server, but thanks to the SRP protocol we can achieve this without sending the passphrase itself to the server. Only derivate values are transmitted; if you like some algebra, look here.