Nimbus SRP

• Complete and versatile Java library for Secure Remote Password authentication
• Convenient client and server-side session classes
• No dependencies

Secure Remote Password authentication

Secure Remote Password (SRP) is an ingenious authentication method where the user’s password is known to them only and is never communicated outside the user’s computer. Instead, what client and server exchange is a series of cryptographic proofs derived from the password.

Merits of the SRP protocol:

• Zero-knowledge password proof – the password remains private to the user at all times and is never shared with the authenticating server. This greatly reduces the risk of password leakages caused by Heartbleed and similar incidents.
• Resistant to eavesdropping and man-in-the-middle attacks.
• Good resistance to offline dictionary attacks in case the server is compromised.
• Can be used for mutual authentication and to establish a secret session key for encrypted communication.
• A mutually trusted third party is not required.

The Secure Remote Password protocol was devised by Tom Wu during his work at Stanford University. He maintains a web page with academic papers on SRP and links to RFCs and implementations. Another good source of information is the wikipedia SRP article.

Complete and versatile Java library for SRP-6a

This Java library implements the latest improved revision 6a of the SRP protocol (2002).

It was developed to address deficiencies in existing open source Java implementations which became apparent during a project to add SRP authentication to the Json2Ldap web service for LDAP directory access.

Why choose Nimbus SRP?

• Complete JavaDocs: Browse online.
• Customisable: Allows application-specific tuning of all security parameters. With Nimbus SRP you can use your preferred ‘N’ / ‘g’ crypto parameters and hash algorithm (SHA-256, PBKDF2, …). You can also define your custom routines for the password key ‘x’ as well as for the client and server evidence messages ‘M1’ and ‘M2’.
• Transport independent: No assumptions are made about how the SRP protocol messages are communicated between client and server.
• Interoperable: Can be easily made to work with other server or client SRP implementations, for example if you’re using browser-based JavaScript clients.
• Small and efficient: The JAR is just 32 KB and has no external dependencies.

Open source license

The Nimbus SRP library is provided under the terms of the Apache 2.0 licence.

Commercial support

Commercial support is available, just talk to us.

Documentation

• Library usage
• Nimbus SRP JavaDocs
• Interactive command-line tools
• Datasheet

Related Software

• Thinbus SRP – JavaScript client for SRP-6a authentication utilising Nimbus SRP on the server side.

Articles

• User passwords should never leave the browser – blog post about SRP in light of the lessons from Heartbleed.

Download

The Nimbus SRP library is available in source code as well as binary packages.

Download Nimbus-SRP