Nimbus SRP

• The most complete and versatile Java library for Secure Remote Password authentication
• Convenient client and server-side session classes
• No external package dependencies

Secure Remote Password authentication

Secure Remote Password (SRP) is an ingenious authentication method where the password remains private to the user at all times and never has to be communicated beyond their computer; instead, what client and server exchange is a series of cryptographically secured messages.

Merits of the SRP protocol:

• Zero-knowledge password proof -- the password remains private to the user at all times and is never shared with the authenticating server. This greatly reduces the risk of password leakages caused by Heartbleed and similar incidents.
• Resistant to eavesdropping and man-in-the-middle attacks.
• Good resistance to offline dictionary attacks in case the server is compromised.
• May be used for mutual authentication and to establish a secret session key for encrypted communication.
• A mutually trusted third party is not required.

The Secure Remote Password protocol was devised by Tom Wu during his work at Stanford University. He maintains a web page with academic papers on SRP and links to RFCs and implementations. Another good source of information is the wikipedia SRP article.

The most complete and versatile SRP-6a Java library

This Java library implements the latest improved revision 6a of the SRP protocol (2002).

It was created to address deficiencies in existing open source Java implementations which became apparent during a project to add SRP authentication to the Json2Ldap web service for LDAP directory access.

Why choose Nimbus SRP?

• Superb JavaDocs: Just see it for yourself!
• Customisable at all levels: Allows application-specific tuning of all security parameters. With Nimbus SRP you can use your preferred 'N' / 'g' crypto parameters and hash algorithm (SHA-1, SHA-256, PBKDF2, ...). You can also define your custom routines for the password key 'x' as well as for the client and server evidence messages 'M1' and 'M2'.
• Transport independence: No assumptions are made about how the SRP protocol messages are communicated between client and server.
• Interoperability: Can be easily made to work with other server or client SRP implementations, for example if you're using browser-based JavaScript clients.
• Small and efficient: The JAR is just 32 KB and has no external dependencies.

Open source licence

The Nimbus SRP library is provided under the terms of the Apache 2.0 licence.

Commercial support

Commercial support is available, just talk to us.

Documentation

• Library usage
• Nimbus SRP JavaDocs
• Interactive command-line tools
• Datasheet

Related Software

• Thinbus SRP -- JavaScript client for SRP-6a authentication utilising Nimbus SRP on the server side.

Articles

• User passwords should never leave the browser -- blog post about SRP in light of the lessons from Heartbleed.

Download

The Nimbus SRP library is available in source code as well as binary packages.

Download Nimbus-SRP