Nimbus SRP

  • The most complete and versatile Java library for Secure Remote Password authentication
  • Convenient client and server-side session classes
  • No external package dependencies

Secure Remote Password authentication

Secure Remote Password (SRP) is an ingenious authentication method where the password remains private to the user at all times and never has to be communicated beyond their computer; instead, what client and server exchange is a series of cryptographically secured messages.

Merits of the SRP protocol:

  • Zero-knowledge password proof - the password remains private to the user at all times and is never shared with the authenticating server.
  • Resistant to eavesdropping and man-in-the-middle attacks.
  • Good resistance to offline dictionary attacks in case the server is compromised.
  • May be used for mutual authentication and to establish a secret session key for encrypted communication.
  • A mutually trusted third party is not required.

The Secure Remote Password protocol was devised by Tom Wu during his work at Stanford University. Details, papers and a reference implementation can be found on the Stanford SRP page. The wikipedia SRP article has good introductory information.

The most complete and versatile SRP-6a Java library

This Java library implements the latest improved revision 6a of the SRP protocol (2002).

It was created to address a number of deficiencies in existing open source Java implementations which became apparent during a project to add SRP support to the Connect2id Json2Ldap web service.

Why choose Nimbus SRP?

  • Superbly documented: See the Nimbus SRP JavaDocs.
  • Customisable at all levels: Allows application-specific trade-offs between security and efficiency. With Nimbus SRP you can use your preferred ‘N’ / ‘g’ crypto parameters and hash algorithm (SHA-1, SHA-256, SHA-512, …). You can also define your custom routines for the password key ‘x’ as well as for the client and server evidence messages ‘M1’ and ‘M2’.
  • Transport independence: No assumptions are made about how the SRP protocol messages are communicated between client and server.
  • Interoperability: Can be easily made to work with other server or client SRP implementations, for example if you’re using browser-based JavaScript clients.
  • Small and efficient: No external dependencies. The JAR is just 25 Kbytes.

The Nimbus SRP library is offered under a dual licence, to benefit community open source projects as well as proprietary application developers who wish to be better supported.


Road map

  • Routine for generation of mock salt and verifier values to handle bad authentication attempts without revealing the exact cause (bad user identity or bad password).
  • Add session serialisation support (e.g. to JSON).
  • JavaScript SRP-6a client.


The Nimbus SRP library is available under a dual licence:

  • GPL 2.0 licence If you wish to use the library in a community open source project.
  • Paid licence If you wish to integrate the library in a proprietary application or service. Also provides you with dedicated support for 12 months.

Download Nimbus-SRP