Highest Voted 'srp' Questions - IT Security Stack Exchange

13

votes

3 answers

Can I use the same password both for SRP and for client-side encryption?

Suppose a less-than-trusted server is used to store users' confidential data (encrypted at the client side), and both tasks - authentication and encryption/decryption - should be doable with a single password. Would it be enough to: Strenghten the…

asked Jun 14 '13 at 09:08

mgibsonbr

2,905
2
20
35

7

votes

1 answer

Forcing new password with zero-knowledge proof authentications

Let's say a ZKP (e.g. SRP6a) is used, for password verification. Let's say I need to force a user to change their password (so I have the salt and the verifier for the current password). For this, the client will need to send me the new salt and…

salt srp

asked Jul 23 '15 at 21:10

Pawel Veselov

541
5
11

7

votes

2 answers

Will OpenSSL's TLS-SRP still provide PFS if all credentials are public?

The obvious go-to for PFS is DHE (or ECDHE). But I'm wondering if using tls-srp but with fixed (and therefore can be considered publicly known) credentials can achieve PFS as well. I suspect this is the case, since one of the features of SRP is that…

tls openssl srp

asked Nov 11 '15 at 03:26

evilquesadilla

71
1

6

votes

1 answer

Feeding PBKDF2 to SRP verifier creation

There is an older game that solely uses UDP to communicate, and I wanted to add password authentication to the game to facilitate things like experience points and rankings. To this end, I decided to go with an implementation of SRP-6a communicated…

passwords hash protocols srp

asked Nov 19 '14 at 23:50

AlexMax

163
3

4

votes

4 answers

How do clients enroll using SRP?

From what I understand, one of the benefits or Secure Remote Password (SRP) is that is does not require reliance on certificate authorities. In a scenario where clients need the ability to register as a new user how does this work? I can only…

passwords authentication cryptography srp

asked Jan 31 '14 at 16:13

BahKoo

103
1
3

4

votes

1 answer

Why isn't Secure Remote Password protocol being used in REST APIs?

I have seen a few samples of SRP protocol used for web applications and I wonder why nobody ever uses it for RESTful authentication. I have done some research and I couldn't find any single example, not even one. SRP together with password hashing…

authentication web-service rest srp

asked Jan 24 '18 at 14:00

leventunver

141
4

4

votes

1 answer

SRP or WebCrypto challenge?

For a new website (HTTPS with HSTS+HPKP), we would like to restrict login access only on authorized user's devices. For that, there is a WebCrypto ECDSA public/private keys generated on each new device. The server store the public key of the new…

account-security srp

asked Oct 25 '17 at 18:01

lakano

155
8

3

votes

1 answer

TLS: is authentication and forward secrecy possible without PKI?

Im making a project that consist of a client/server system that requires TLS without PKI.. Design Requirements: The client MUST authenticate that it's communicating with 'THE' server The server MUST authendicate that it's communicating with 'A'…

tls cryptography forward-secrecy srp

asked Jul 12 '17 at 19:41

Aristos Miliaressis

31
1

2

votes

1 answer

Any good tutorials / libaries for implementing TLS-SRP?

In this thread, Tom Ptacek explains what Password-Authenticated Key Exchanges are, and it got me really interested in them. If I'd like to start learning about how to build them into real world software communication protocols, where can I find a…

tls srp

asked Dec 22 '13 at 07:22

user3025492

123
2

2

votes

0 answers

Authentication mechanism without sending password on server-side

My customer is currently using Secure Remote Password (with SSL) for authentication. The reason is that he does not want to send the user password on the server-side, to prove no confidential user data is stored on the server-side (only the salt and…

authentication srp

asked Jun 20 '18 at 13:47

rico

361
3
8

2

votes

2 answers

Could PKE be used as a better alternative to SRP for authentication?

If I understood SRP correctly, its weakpoint is during the registration of a user when sending the verifier to the server. Let's say the Server knows the PubKey(User) of the User and the User knows the PubKey(Server) of the Server. For…

encryption passwords srp

asked Oct 06 '15 at 08:08

PKEvsSRP

21
1

1

vote

0 answers

Questions about SRP algorithm

I trying to use SRP algorithm but I have some questions: Is that a good choice to use for registration and authorization SRP algorithm with SSL/TLS? And for all other transmission using just SSL/TLS? I will use C# Sockets for implementation. How…

encryption tls authentication cryptography srp

asked Feb 15 '15 at 22:53

konstantin_doncov

157
6

1

vote

1 answer

SRP in local, private wireless network

i am trying to secure the connection between a single-page webApp (angularJS, loaded from a secure source via SSL) to a local server (called BOX) inside the private, local wifi of the user. So the webApp is loaded in the browser via HTTPS and then…

tls wifi srp

asked Jan 26 '15 at 11:30

Andresch Serj

217
1
8

1

vote

1 answer

What is the purpose of "g" -> generator of the multiplicative group

I am currently beginning to studying the different security protocols and came across the SRP secure remote password protocol. I manage to understand the mathematic formulas behind it and the calculation but i do not understand the reason/purpose of…

cryptography srp

asked Aug 14 '14 at 13:20

Tito

113
2

1

vote

1 answer

Advantages of TLS-SRP when the secret must be exchanged online?

I've got some practical questions about SRP when the shared secret must be established online. Is there a way to establish the shared secret online without the use of HTTPS? If you've already used HTTPS to establish the shared secret, why bother…

tls srp

asked May 26 '14 at 02:33

Gili

2,149
3
23
41

Questions tagged [srp]