How Do I Prove My Password, Without Giving You It? The Magic of SRP

We build systems which are often insecure and where we pass our passwords over channels which can contain sniffing agents, such as for man-in-the-middle ones, and which can discover our password. Often we use HTTPs as a tunnel, and where we only authenticate one side to the other. The method often used to authenticate Bob the Server to Alice the User is with a digital certificate. So how do we authenticate each side, and password the proof of the password, without actually storing the password?

One method to improve the process is Secure Remote Password protocol (SRP). In this protocol the server does not contain any password-related data, and involves the client providing a proof that it knows the password, without giving away what the password is.

SRP

A demo of this method is defined here.

So we Alice has a password p, and wants define it with Bob the server.

Alice selects some salt (s) and computes a hash of s and p:

x = Hash (s,p)

Next she calculates v using a generator value (g):

v = gˣ

Alice sends this (and s), and Bob the Server indexes (v,s) with a value of I. The password is now registered with Bob the Server.