SRP JavaScript Demo

This demo uses a combination of JavaScript and Java to demonstrate the mathematical steps behind the Secure Remote Password Protocol.

Run the demo

Quick start instructions: Type the word password into the red client password field, press TAB, and watch the status field at the bottom change to indicate successful authentication.

Navigating the demo

The demo is organized like a spreadsheet. Based on the values placed in certain input fields, the values of intermediate and output fields are calculated. Changes in either primary input fields or intermediate fields are propagated to dependent fields once the change is made. Usually this happens when you TAB out of the field or click somewhere else on the page.

Fields in bold are primary user-input fields. The username defaults to user and the server's password defaults to password. If the client's password is the same as the server's password, then the protocol ensures that the client and server sessions keys (S) match up, regardless of the values of the other inputs.

Fields in italics are dependent fields. Their values are calculated from other fields, so it is not recommended that they be changed manually. Doing so may make the values calculated by the demo inconsistent.

Fields in plain text are "automatic" input fields. In some cases, like the N and g parameters, these fields are normally picked from a predefined set of values. In other cases, the values of the fields are generated randomly. Although it is possible to enter values manually into these fields, the values may be overwritten by other controls on the page.

The "radix" radio button controls the base used to display numeric values. Changing this setting does not alter the actual values of any fields.

The SRP variant radio button selects the protocol in use. This affects the value of k, as well as the formula used to compute u.

Browser requirements

This demo requires a browser that supports both JavaScript and Java. It needs access to the java.math.BigInteger class to do large number arithmetic. Some browsers (e.g. Netscape, Mozilla) allow JavaScript code to create Java objects directly through JavaScript, while others (e.g. Internet Explorer) require the assistance of a small "helper" Java applet to construct BigInteger objects. This requires that your browser support LiveConnect, a feature that allows applets to be called and controlled directly from JavaScript.

The SRP JavaScript demo has been tested successfully under the following browser environments:

Mozilla 1.x, Netscape 6, 7
- Linux (NS7, Mozilla 1.1)
- MacOS X.1 (NS7)
- Windows 98 (NS6.2, NS7), Windows XP (NS7.02)
Netscape 4.x - JDK 1.1.5 w/bignum support required
- Linux (NS4.78)
- Solaris 8 [SPARC] (NS4.7)
- Solaris 7 [x86] (NS4.51)
- AIX 4.3.3 (NS4.61)
- WindowsNT 4.0 (NS4.05)
Internet Explorer
- WindowsNT 4.0 (IE4)
- Windows 98 (IE5, IE6) [MS or Sun JVM]
- Windows XP (IE6) [Sun JVM 1.4.1_01 or _02 or MS JVM]
Opera
- Linux (Opera6.1)

The SRP JavaScript demo does NOT work with the following:

Netscape 6.x
- MacOS 8.6 (NS6.2)
Netscape 4.x
- MacOS 8.6 (NS4.73), MacOS 9 (NS4.7) - no bignum support in Java
Internet Explorer
- Solaris 8 (IE5) - no LiveConnect
- MacOS 8.6 (IE5), MacOS X.1 (IE5.2) - no LiveConnect
- Windows XP (IE6) [Sun JVM 1.4.0_01 or _03] - crash, JVM upgrade needed (see above)
Opera
- MacOS X.1 (Opera 6.0b2) - crash w/LiveConnect
- Solaris (Opera 5.0b1) - no Java
Konqueror - no LiveConnect
HotJava - no JavaScript support
OmniWeb

If your browser and platform are not listed here, it means that they have not yet been tested. Please let me know how well this demo works on your browser, especially if it is an untested configuration.

To aid in testing, use the following LiveConnect test. This test instantiates an applet and attempts to access it using JavaScript.

Try the LiveConnect test now

If the test succeeds, you will see an alert box with the message "LiveConnect test succeeded". Any other response indicates a failure. A successful result means that it is likely your browser will work with the demo as-is, or can be made to work.

Source code

The source code for the demo itself consists of three files:

demo.html - The main JavaScript demo implementation.
sha1.js - A pure JavaScript implementation of the SHA-1 hash algorithm.
bigint.java - The source code to the helper applet.

Use the "Save Link As..." or "Save Target As..." option in your browser to download and save these files.