4

I have seen a few samples of SRP protocol used for web applications and I wonder why nobody ever uses it for RESTful authentication. I have done some research and I couldn't find any single example, not even one. SRP together with password hashing functions such as bcrypt, scrypt or pbkdf2 seems pretty solid to me, but it seems like nobody has tried it before which is odd. Am I missing something here that is conceptually contradictory? Does SRP protocol somehow remove RESTfulness?

leventunver
  • 141
  • 4
  • I might recommend re-writing your title a bit so that it attracts more factual, and fewer opinion-based answers. Maybe something along the lines of "What are the hurdles which would keep an organization from adopting SRP?" – Dan Landberg Jan 24 '18 at 19:52
  • I tried to narrow down the question to RESTful systems, but actually, as you've said, SRP never made it to the enterprise world. If I generalize the question to a broader category as you've mentioned then it would actually lead to an opinion-based discussion. Let's see if there will be any other answers. If not, then I may change the title. – leventunver Jan 25 '18 at 20:25

1 Answers1

4

Much of the adoption of technology is dependent on economics, and SRP is no exception. Software shops are generally not going to spend or money on a specific technology which does not provide any sort of novel benefit. For example, the benefit SRP would provide to an organization would be that they do not have to store passwords in their system. OpenID already fulfills a similar role. Choosing SRP means that an organization will have to incur the costs of developing the implementation, accept the risks of not implementing it correctly, and would provide no additional benefit over the cheaper method (OpenID, etc.)

SRP does not violate RESTful practices, as far as I'm aware.

Dan Landberg
  • 3,312
  • 12
  • 17
  • 1
    I am trying to think from a developer's perspective. I did some research on authentication methods in REST and a lot of developers seem to misunderstand the concepts such as OAuth and JWT. The only approach that has been agreed upon is OpenID Connect on top of OAuth 2.0. But I still think that it might be an architectural overkill because either I have to use a third-party identity provider for authentication or implement it by myself (like SRP). If there were some proven frameworks that are ready to use based on SRP, then the organizations wouldn't have to bother implementing it correctly. – leventunver Jan 25 '18 at 20:32