What does SRP do?

First and foremost, SRP is a strong password authentication protocol. It was designed as a solution to the age-old problem of deploying logins and passwords in a distributed system across networks that may be monitored or compromised by adversaries. While the strongest version of SRP, known as SRP-3, performs very well in such a role, it is also versatile enough to serve in other capacities, namely as a zero-knowledge identification protocol and as an efficient asymmetric key-exchange protocol.

Password Authentication

SRP addresses a fairly specific class of hard password authentication problems, namely that of authenticating a network user to a server host, both of which reside on a network susceptible to both passive and active attacks and subject to the following constraints:

No third party is involved in the authentication process.
The system is password-only, which means that the user uses only a memorized password for authentication. No keyfiles or other persistent forms of secure storage are used on the client side.

This particular brand of authentication has a surprisingly large number of applications in the real world, including but not limited to:

Authentication of remote logins to multiuser systems. A good example is the telnet program found on Unix systems.
User-based access controls on Web sites.
Authentication for X-terminals or Network Computers (NCs).
Network service authentication on LANs, e.g. Novell NetWare.
Public telephones, cellular telephones, ATMs, or set-top boxes.

In general, such authentication technology applies to any situation where a client is used by more than one person or where physical constraints prevent secure long-term storage of private key information. In addition, even when client-side storage is possible (e.g. on personal workstations or PCs), avoiding it and using passwords is advantageous because they are inherently portable and difficult to steal.

Zero-Knowledge Identification

SRP has also attracted attention from academic circles because it has properties of a classical zero-knowledge (ZK) identification protocol. A two-party ZK protocol has two parties, the prover, who knows a secret, and a verifier, who must be convinced that the prover knows the secret. The three distinguishing characteristics of such a protocol are:

The verifier does not possess the prover's secret, but still has enough information to tell if the prover really knows the secret.
The prover does not reveal the secret to the verifier while negotiating the protocol. In fact, no information at all about the secret is communicated to the verifier other than the fact that the prover knows it.
The prover cannot convince the verifier and successfully negotiate the protocol without knowing the secret.

As it turns out, the user's password and host's verifier in SRP correspond exactly to the private secret and public verifier in a ZK protocol. It is easy to prove that SRP satisfies the first two criteria, and it is believed that SRP-3 also satisfies the third.

Zero-knowledge protocols are highly desirable as authentication protocols because they do not leak information about the password even to a legitimate host, which provides protection against both passive snooping and active host impersonation. A user does not have to worry about accidentally revealing a password to someone spoofing the network, because the user's client software does not send out any information to anyone that could be used to recover the password. This was always a risk for systems that tried to set up an encrypted session and then sent the password under that channel.

Asymmetric Key Exchange

SRP also falls into the broad category of asymmetric key exchange protocols. These are broadly defined as protocols which perform secure key exchange but do not require both parties to share secrets beforehand. Instead, either or both parties has a private key whose public key is held by the other party. If the protocol performs secure authentication of one or more of the parties, it is an authenticated asymmetric key exchange protocol.

There are a few such protocols in existence, but all of them require more computation than a conventional symmetric (shared-secret) key exchange protocol. SRP-3 provides a fast authenticated asymmetric key exchange without increasing the computational requirements of the protocol. Unlike most asymmetric protocols, it can function securely even if only one party has a public key set in advance. As an added bonus, it protects the long-term secrets (private keys) from brute force attack. Viewed in this context, SRP-3 is the fastest authenticated asymmetric key exchange protocol, and its security is on par with the best in this class.

Back