What is Secure Remote Password

And why should businesses consider services with SRP support?

As citizens of the Internet age, we’ve probably all heard of the risks of password theft. Many of the biggest data heists of the 21st century are, perhaps not surprisingly, associated with stolen passwords and credentials. But have you ever stopped to think about how exactly using online services can leave you vulnerable to such risks?

Photo by Towfiqu barbhuiya on Unsplash

Before answering the question, let’s take a look at how online registration and login usually works:

1. When you create an account, credentials including your password are saved online, either in an encrypted or unencrypted form.
2. When you try to access the account, the credentials you enter are compared with the ones saved on the server. If they match, you’re in.

But the conventional process is problematic in that saving and transmitting credentials on the Internet can leave you susceptible to:

1. Attacks on the server side, where online thieves hack the database and steal your credentials saved in there.
2. Eavesdropping and man-in-the-middle attacks, where cybercriminals intercept or tamper with the communications between the client and the server, laying hands on your password.

How does SRP work
When the conventional approach puts sensitive user info at stake, you need a safer way. Secure Remote Password (SRP) will do the job.

SRP is a protocol where a client and a server authenticate to each other without ever storing or sending password-related info over the network. Specifically, here’s what happens behind the scene.

When you sign up:

1. The server generates a random salt, which is used with the entered password to calculate X through the SHA-256 (or a random hash function) algorithm.
2. The value X is then used with a constant g to generate a verifier.
3. Your username, salt and verifier are sent to the server, where they are stored separately in the database.

Image by <Matthew Green> on <A Few Thoughts on Cryptographic Engineering>

When you try to log in:

1. Once you provide your username, the client and the server will both generate a secret (a & b in the illustration below). The system uses the current timestamp in computing hash values for new secrets, which are created with each login attempt. Therefore, a and b are ensured to be different every time you log in.
2. Secret a & b will be combined with other values to derive a session key for each side. If the key from the client side matches the one on the server, login is authenticated. In the process, the session keys are never transmitted over the Internet. Instead, the client and the server use two different expressions to calculate from the keys a set of results, which are then compared to see if they match (see here for detailed calculation).

Image by <Yuren Ju> on <Medium>

Benefits of deploying SRP
SRP solves the security challenges of traditional authentication because

• During registration:

1. Your password is never sent to the server. The only data to be transmitted over the network is the salt, verifier and your username, making server-side attacks a non-issue.
2. The verifier is generated with X, which is derived using a random salt and SHA-256 encryption. Even if the verifier is intercepted, hackers still need to work through complex discrete logarithms and SHA-256 collisions to find a password that works every time. Due to the limits of computational power, it’s virtually impossible to reverse-engineer the password.

• During login:

1. By taking advantage of zero-knowledge proofs, SRP reduces the possibility of session keys being leaked or stolen.
2. A new key is created every time you try to access your account, and each key is valid for the current session only. Hackers might manage to crack an old key, but by the time you log in again, it’s invalid already. In other words, there will always be a new key waiting. Just imagine how much time and toil this will take.

Underpinned by the complexity of discrete logarithms, SRP provides strong resistance to data leaks. Choosing services with SRP support is hence an effective way to protect your online apps from foul play. C2 Identity is an excellent service of this kind.

C2 Identity is Synology’s Identity and Access Management (IAM) solution. Leveraging the SRP protocol, it provides all-around protection for user accounts. From registration, device/web login to change of passwords, we help defend your data every step of the way.

What’s better, under the IAM structure, users can access multiple apps and services with a single set of credentials. This will provide them with an easy, convenient experience, all while delivering heightened security measures.

C2 Identity is now offering a 30-day trial. Learn more and try for free.