Questions tagged [srp]

Secure Remote Password (SRP) is a password-authenticated key agreement protocol.

24 questions
13
votes
3 answers

Can I use the same password both for SRP and for client-side encryption?

Suppose a less-than-trusted server is used to store users' confidential data (encrypted at the client side), and both tasks - authentication and encryption/decryption - should be doable with a single password. Would it be enough to: Strenghten the…
mgibsonbr
  • 2,905
  • 2
  • 20
  • 35
7
votes
1 answer

Forcing new password with zero-knowledge proof authentications

Let's say a ZKP (e.g. SRP6a) is used, for password verification. Let's say I need to force a user to change their password (so I have the salt and the verifier for the current password). For this, the client will need to send me the new salt and…
Pawel Veselov
  • 541
  • 5
  • 11
7
votes
2 answers

Will OpenSSL's TLS-SRP still provide PFS if all credentials are public?

The obvious go-to for PFS is DHE (or ECDHE). But I'm wondering if using tls-srp but with fixed (and therefore can be considered publicly known) credentials can achieve PFS as well. I suspect this is the case, since one of the features of SRP is that…
6
votes
1 answer

Feeding PBKDF2 to SRP verifier creation

There is an older game that solely uses UDP to communicate, and I wanted to add password authentication to the game to facilitate things like experience points and rankings. To this end, I decided to go with an implementation of SRP-6a communicated…
AlexMax
  • 163
  • 3
4
votes
4 answers

How do clients enroll using SRP?

From what I understand, one of the benefits or Secure Remote Password (SRP) is that is does not require reliance on certificate authorities. In a scenario where clients need the ability to register as a new user how does this work? I can only…
BahKoo
  • 103
  • 1
  • 3
4
votes
1 answer

Why isn't Secure Remote Password protocol being used in REST APIs?

I have seen a few samples of SRP protocol used for web applications and I wonder why nobody ever uses it for RESTful authentication. I have done some research and I couldn't find any single example, not even one. SRP together with password hashing…
leventunver
  • 141
  • 4
4
votes
1 answer

SRP or WebCrypto challenge?

For a new website (HTTPS with HSTS+HPKP), we would like to restrict login access only on authorized user's devices. For that, there is a WebCrypto ECDSA public/private keys generated on each new device. The server store the public key of the new…
lakano
  • 155
  • 8
3
votes
1 answer

TLS: is authentication and forward secrecy possible without PKI?

Im making a project that consist of a client/server system that requires TLS without PKI.. Design Requirements: The client MUST authenticate that it's communicating with 'THE' server The server MUST authendicate that it's communicating with 'A'…
2
votes
1 answer

Any good tutorials / libaries for implementing TLS-SRP?

In this thread, Tom Ptacek explains what Password-Authenticated Key Exchanges are, and it got me really interested in them. If I'd like to start learning about how to build them into real world software communication protocols, where can I find a…
user3025492
  • 123
  • 2
2
votes
0 answers

Authentication mechanism without sending password on server-side

My customer is currently using Secure Remote Password (with SSL) for authentication. The reason is that he does not want to send the user password on the server-side, to prove no confidential user data is stored on the server-side (only the salt and…
rico
  • 361
  • 3
  • 8
2
votes
2 answers

Could PKE be used as a better alternative to SRP for authentication?

If I understood SRP correctly, its weakpoint is during the registration of a user when sending the verifier to the server. Let's say the Server knows the PubKey(User) of the User and the User knows the PubKey(Server) of the Server. For…
PKEvsSRP
  • 21
  • 1
1
vote
0 answers

Questions about SRP algorithm

I trying to use SRP algorithm but I have some questions: Is that a good choice to use for registration and authorization SRP algorithm with SSL/TLS? And for all other transmission using just SSL/TLS? I will use C# Sockets for implementation. How…
1
vote
1 answer

SRP in local, private wireless network

i am trying to secure the connection between a single-page webApp (angularJS, loaded from a secure source via SSL) to a local server (called BOX) inside the private, local wifi of the user. So the webApp is loaded in the browser via HTTPS and then…
Andresch Serj
  • 217
  • 1
  • 8
1
vote
1 answer

What is the purpose of "g" -> generator of the multiplicative group

I am currently beginning to studying the different security protocols and came across the SRP secure remote password protocol. I manage to understand the mathematic formulas behind it and the calculation but i do not understand the reason/purpose of…
Tito
  • 113
  • 2
1
vote
1 answer

Advantages of TLS-SRP when the secret must be exchanged online?

I've got some practical questions about SRP when the shared secret must be established online. Is there a way to establish the shared secret online without the use of HTTPS? If you've already used HTTPS to establish the shared secret, why bother…
Gili
  • 2,149
  • 3
  • 23
  • 41
1
2