Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

srp

Package Overview
Dependencies
Maintainers
1
Versions
4
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

srp

Secure Remote Password (SRP)

  • 0.0.4
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
28
increased by75%
Maintainers
1
Weekly downloads
 
Created
Source

build status

#SRP - Secure Remote Password

Implementation of the SRP Authentication and Key Exchange System and protocols in Secure Remote Password (SRP) Protocol for TLS Authentication

The goals are to provide at a minimum:

  • [done] SRP function library that passes RFC 5054 tests
  • [done] SRP server
  • [done] SRP test client
  • SRP client lib for Node.js
  • JavaScript browser client (maybe)
  • Interoperability with Mozilla Identity-Attached Services

##Prerequisites

GNU libgmp for those big big numbers.

  • debian: libgmp3-dev
  • OSX brew: gmp

##Installation

npm install srp

or git clone this archive and run npm install in it.

##Tests

Run npm test.

Tests include vectors from:

##Description of the Protocol

###Initial Setup

Carol the Client wants to share messages with Steve the server. Before this can happen, they need to perform a one-time setup step.

Carol and Steve agree on a large random number N and a generator g. These can be published in advance or better yet hard-coded in their implementations. They also agree on a cryptographic hashing function H.

Carol establishes a password and remembers it well. She the generates some random salt, s, and compputes the verifier v as g ^ H(s | H(I | ':' | P)) % N, where I is Carol's identity, and | denotes concatenation.

Carol then sends Steve I, s, and v. She also sends the size of N and the name of the hashing algorithm she has chosen.

Steve stores I, s, and v. Carol remembers P. This sequence is performed once, after which Carol and Steve can use the SRP protocol to share messages.

###Message Protocol

First, Carol generates an ephemeral private key a. She computes the public key A as g^a % N. She sends Steve I and A.

Client sends I, A.

Steve looks up v and s. Steve generates an ephemeral private key b and computes the public key B as k * v + g^b % N, where k is H(N | PAD(g)). (PAD designates a function that left-pads a byte string with zeroes until it is the same size as N.) Steve sends s and B.

Server replies with s and B.

Both now compute the scrambling parameter u as u = H(PAD(A) | PAD(B)).

Now both Carol and Steve have the parameters they need to compute their session key, S.

For Carol, the formula is:

S_client = (B - k * g^x) ^ (a + u * x)

For Steve, the formula is:

S_server = (A * v ^ u) ^ b

They both now compute the shared session key, K, as H(S). (The hash is taken to obscure any structure that may be visible in S.)

Now Carol and Steve must convince each other that their values for K match. Here, Carol hashes and hashes again her session key and sends it to Steve. If he gets the same result when hashing his session key twice, he hashes his session key once and sends it back to Carol, who can check if she wishes that she gets the same value.

###Glossary of Terms

N a large prime number

g a generator

H a secure hashing function

| the concatenation operator

PAD a function that left-pads a block of bytes with zeroes until it is the same length as N

I the identity of the client (a string)

P the password of the client (a string)

s some random salt (a string)

v the verifier

k a multiplier, H(N | PAD(g))

u a scrambling parameter

a an ephemeral private key known to the client

A the public key from a

b an ephemeral private key known to the server

B the public key from b

x an intermediate value, H(s | H(I | ":" | P))

S the session key

K a hash of the session key shared between client and server

##Resources

##License

MIT

FAQs

Package last updated on 04 Jul 2013

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc