Skip to content

An RFC 5054-compatible SRP Client for Javascript.

License

Notifications You must be signed in to change notification settings

sachmata/srp-client

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Javascript Client for the Secure Remote Protocol (SRP)

Warning: this is an alpha release and is not ready for production use. Peer review is appreciated.

This library implements a Javascript client for the SRP protocol. The client aims to be compatible with SRP revision 6A, as defined in RFC 5054 ("Using the Secure Remote Password (SRP) Protocol for TLS Authentication"). It is released under the MPL.

The code is directly based on Tom Wu's Javascript SRP demo, which is released under the SRP license.

Testing

This library is tested with Jasmine using the official test vectors from the SRP specification. The specs can be run by opening SpecRunner.html in your browser.

Usage

Configuration

As shown in the examples below, this library accepts 1024, 1536, 2048, 4096, 6144 and 8192-bit group parameters. The default is 1024 bits.

Registration Example

<html>

<head>
  
  <script type="text/javascript" src="jsbn.js"></script>
  <script type="text/javascript" src="sha1.js"></script>
  <script type="text/javascript" src="random.js"></script>
  <script type="text/javascript" src="srp-client.js"></script>

  <script type="text/javascript">

  var bits     =  2048;
  var username = 'username';
  var password = 'password';

  var srp = new SRPClient(username, password, bits);

  // 1. The client generates a random hex salt.
  var s = srp.randomHexSalt();
  
  // 2. The client calculates its verifier value.
  var v = srp.calculateV(salt);
  
  // 3. The client sends the username, salt and
  // verifier to the server, which stores all three.
  
  </script>

</head>

</html>

Authentication Example

<html>

<head>

  <script type="text/javascript" src="jsbn.js"></script>
  <script type="text/javascript" src="sha1.js"></script>
  <script type="text/javascript" src="sjcl.js"></script>
  <script type="text/javascript" src="srp-client.js"></script>

  <script type="text/javascript">
  
  var username = 'username';
  var password = 'password';

  var srp = new SRPClient(username, password, 2048);

  // 1. The client generates and stores A.
  var a = srp.srpRandom();
  var A = srp.calculateA(a);

  // 2. The client sends A to the server.
  
  // 3. The server receives A and generates B.
  var b = srp.srpRandom();
  var B = srp.calculateB(b);

  // 4. The client and the server both calculate U.
  var u = srp.calculateU(A, B);

  // 5. The client generates its premaster secret.
  var Sc = srp.calculateS(B, salt, u, a);
  
  // 6. The server generates its premaster secret.
  var Ss = srp.calculateServerS(A, v, u, b);

  // 7. The client and the server verify the secrets.
  console.log('Server and client secrets match:');
  console.log(Sc.toString() == Ss.toString());

  </script>

</head>

</html>

Further Reading

  • RFC 2945 - The SRP Authentication and Key Exchange System
  • RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication

License

This library is released under the MPL.

About

An RFC 5054-compatible SRP Client for Javascript.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published