* tokenID
* request HMAC key
* request XOR key
* request HMAC key
The request data will contain kA, wrap(kB), and the SRP verifier, concatenated together. The first two pieces are fixed-length. We generate enough reqXORkey bytes to cover all three values.
The request data is XORed with requestXORkey, then delivered in the body of a HAWK request that uses tokenID as credentials.id and requestHMACkey as credentials.key . Note: it is very important critical to include the request body in the HAWK integrity check (options.payload=true, on both client and server), otherwise a man-in-the-middle could substitute their own SRP verifier, giving them control over the account (access to the user's class-A data, and a brute-force attack on their password).
[[File:PICL-IdPAuth-decryptResponseencryptResetAccount.png|Decrypting Encrypting the ResponseresetAccount Request]]
= Creating the Account =