What Is Secure Remote Password (SRP) Protocol and How to Use It?
“Password” this crazy piece of string worth a lot, get a lot of attention but yet very hard to process & hide. Even with the multi-factor approach, it is crucial to design the first step right (which is what the user knows).
It becomes increasingly harder for the software systems to securely authenticate their users, process the sensitive password in a right & secure way. One of the most common approaches is,
Storing the hashed version of the password using algorithms like Argon2, bcrypt, etc and use it for authenticating the users. By now, this is the minimum baseline for handling sensitive secrets like password, anything below this (like as plain-text or encoded) means you are probably doing the bad thing, stop it, go back to safety!.
Hashed passwords offer a good trade-off between simplicity and security but for a piece of highly sensitive information or system it has its own drawbacks,
- It needed a trusted server to securely process & store the hashed passwords (which promises not to log passwords 😀)
- An attacker with a large password dictionary & a breached database can determine the user’s password
- An attacker can eavesdrop (MITM attack) communication between client and server and can acquire the password.
What we needed, in this case, is a strong Zero-knowledge proof (without transferring password) system that does mutual authentication on the client & server. Let's look at a shy and less popular implementation called Secure Remote Password (SRP)
Secure Remote Password (SRP)
SRP is a secure augmented password-authenticated key agreement (PAKE) protocol that solves the problem of exchanging secrets securely over an untrusted network.
It is a zero-knowledge proof protocol, where the server doesn’t have to store password equivalently information (hashed version), and clients can securely authenticate to the server. And an eavesdropper or man-in-the-middle cannot obtain any meaningful information to perform an attack. SRP offers great benefits such as,
- Can authenticate without needing to…