The “secure remote password protocol” is a modern cryptographic protocol for password authenticated key exchange (PAKE). It provides some desireable properties, like a passive eavesdropper being unable to brute-force the password. It is usually used to derive shared session keys from passwords and authenticate users with passwords.
Questions tagged [srp]
54 questions
27
votes
7 answers
Why is SRP not widely used?
SRP seems to be a very good password authentication protocol, compared to any other things used now. So why is there no popular implementations, or even no working secure implementations?
I tried to set up TLS-SRP protocol, but it haven't worked…
Smit Johnth
- 1,731
- 4
- 18
- 27
19
votes
2 answers
Is there any SRP-like key exchange only using "standard" cryptographic primitives?
I am looking into PAKEs (password-authenticated key exchanges), and it seems like SRP (Secure Remote Password) is essentially the de-facto standard.
However, implementing SRP actually requires doing modular arithmetic, and is similar to, say,…
ithisa
- 1,111
- 1
- 10
- 23
13
votes
3 answers
What should be the size of a Diffie-Hellman private key?
I'm implementing the SRP-6 protocol, which relies on discrete logarithms for it's security (essentially Diffie-Hellman).
The RFC documents state:
The private values $a$ and $b$ SHOULD be at least 256-bit random numbers, to give
approximately 128…
Jim
- 133
- 1
- 1
- 4
10
votes
1 answer
How realistic is a dictionary attack on a secure remote password protocol (SRP) verifier?
I'm deploying a secure remote password protocol implementation and I'm wondering what the consequences are when the client generated verifier gets leaked to an attacker. I've read Thomas Wu's paper and as nice as it is, it doesn't talk about that…
Grant BlahaErath
- 355
- 1
- 9
9
votes
1 answer
Why does SRP-6a use k = H(N, g) instead of the k = 3 in SRP-6?
I've been reading up on the Secure Remote Pasword protocol (SRP). There are a couple different versions of the protocol (the original published version being designated SRP-3, with two subsequent enhancements 6 and 6a).
There was a very limited…
Robert I. Jr.
- 175
- 7
8
votes
3 answers
Can I use a key-derivation-function as the hash function H in SRP?
In the Secure Remote Password Protocol, the verifier must be stored on the server. In the case of a server compromise, an attacker could obtain these verifiers. If nobody reused passwords, this wouldn't be a big deal (as the users' data is…
Jason
- 373
- 2
- 7
7
votes
2 answers
Can SRP be used with Elliptic Curves?
I'm sure it can, because SRP (secure remote protocol) can be implemented everywhere where Diffie-Hellman works, but I need a proof to put this aspect into Wikipedia.
Edit: ok, can it be at least partially moved to elliptic curves?
Smit Johnth
- 1,731
- 4
- 18
- 27
7
votes
1 answer
Implementation and Testing of SRP-6a
I have been wracking my brain trying to develop a functioning implementation of SRP-6a in Python to use with a 3rd-party API that claims to use SRP-6a with $N=$ 2048-bit prime and generator of $2$. Unfortunately it has proven quite difficult to…
Joe
- 225
- 1
- 5
7
votes
2 answers
Is SRP post-quantum secure?
Is SRP-6a post-quantum secure? If it is not post-quantum secure, do any post-quantum secure alternatives similar to SRP-6a exist?
mpr
- 255
- 1
- 5
6
votes
1 answer
Why is TLS SRP verifier based on user name?
I don't understand why TLS SRP (or SRP in general) includes the user name in verifier calculation, given that user name is basically public.
From spec RFC 5054 $x$, which is then used to calculate verifier, is calculated as follows:
x = SHA1(s |…
nefarel
- 183
- 7
5
votes
2 answers
Does SRP reduce to DH key exchange when shared password is not secret?
I can find JavaScript implementations of SRP (Secure Remote Password protocol), but nothing that inspires confidence for Diffie-Hellmen key exchange. I also have a separate need for SRP later.
I would like to do key exchange under the assumption…
Jeffrey Goldberg
- 334
- 1
- 10
5
votes
1 answer
What security checks do I need for SRP-6a?
I'm implementing an SRP-6a login system. What security checks do I need to do? Note that the modulus is sent to the client at algorithm startup.
Here is the list I have so far. I'm using the Wikipedia names for the variables.
Verify that $N$ is…
Myria
- 2,635
- 15
- 26
5
votes
1 answer
State level "Weak Diffie-Hellman" working for SRP too?
I've read about the "Weak Diffie-Hellman" attack (paper, website), where a resourceful entity like a state can pre-compute values for known primes to aid solving the discrete logarithm problem for that particular prime.
I've also read that SRP is…
user10008
- 153
- 2
5
votes
2 answers
Does SRP also authenticate the server to the client?
The Secure Remote Password (SRP) protocol lets a client prove to a server that it knows a specific password without revealing that password to the server. The server stores a cryptographic verifier for the user account. If an attacker impersonates…
JanKanis
- 253
- 1
- 6
5
votes
1 answer
Discovering private exponent from public key
I'm going to assume this isn't possible, but I have to ask because I'm trying to fundamentally understand what I've thus far been trying to implement by following an RFC.
SRP-6a starts off with declaring that I should choose $N$, a sufficiently…
Joe
- 225
- 1
- 5