Skip to content
Connect2id

Datasheet

Secure Remote Password (SPR) protocol

Nimbus SRP implements revision 6a of the Secure Remote Password protocol (2002). It provides:

  • Verifier generation
  • Client-side authentication
  • Server-side authentication

The default routines for computing the various protocol variables and messages comply with RFC 5054 (SRP for TLS), with the following exceptions / additions:

  • The computation of the password key ‘x’ is modified to omit the user identity ‘I’ in order to allow for server-side user identity renaming as well as authentication with multiple alternate identities.
  • Adds routines for computing the evidence messages ‘M1’ and ‘M2’, according to Tom Wu’s paper “SRP-6: Improvements and refinements to the Secure Remote Password protocol”, table 5, from 2002.

The library provides interfaces for plugging in custom routines for the password key ‘x’ as well as for the client and server evidence messages ‘M1’ and ‘M2’.

Requirements

  • Java 7+

License

The Nimbus SRP library comes with an open source Apache 2.0 license.

Configuration

The verifier generator supports the following configuration settings:

  • Preferred crypto parameters safe prime ‘N’ and generator ‘g’.
  • Choice of hash algorithm.
  • Custom password key ‘x’ routine.

The client and server session classes support the following configuration settings:

  • Preferred crypto parameters safe prime ‘N’ and generator ‘g’.
  • Choice of hash algorithm.
  • Configurable session timeouts.
  • Custom password key ‘x’ routine.
  • Custom routine for the ‘u’ hash of ‘A’ and ‘B’.
  • Custom client evidence message ‘M1’ routine.
  • Custom server evidence message ‘M2’ routine.