2

My customer is currently using Secure Remote Password (with SSL) for authentication. The reason is that he does not want to send the user password on the server-side, to prove no confidential user data is stored on the server-side (only the salt and verifier generated on client-side are stored on the server-side, not the password itself).

Is it a valid reason? If yes, is there any other Authentication mechanism more standard (like OAuth, JWT, etc) that meets the same requirement?

I have a new application to secure, and it is easy to find frameworks which provide out of the box integrations with mechanisms like OAuth, SAML, LDAP, JWT, but no one is supporting SRP. It should be fine, and less harmful for us to use another mechanism other than SRP.

rico
  • 361
  • 3
  • 8
  • There is a big list of libraries providing implementation of SRP at https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Implementations - haven't used any, so no idea whether they are good implementations, but they certainly exist. – Matthew Jun 20 '18 at 14:03
  • Actually, my problem is that integrating with SRP libraries is more complicated. I am wondering if it is worth when some frameworks like http://www.pac4j.org/, http://shiro.apache.org/ or https://www.keycloak.org/ provide out-of-the-box integration with other protocols. It is also linked with https://crypto.stackexchange.com/questions/8245/why-is-srp-not-widely-used – rico Jun 20 '18 at 14:14

0 Answers0