SRP Documentation



T. Wu, The Secure Remote Password Protocol, in Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, San Diego, CA, Mar 1998, pp. 97-111.

Abstract: This paper presents a new password authentication and key-exchange protocol suitable for authenticating users and exchanging keys over an untrusted network. The new protocol resists dictionary attacks mounted by either passive or active network intruders, allowing, in principle, even weak passphrases to be used safely. It also offers perfect forward secrecy, which protects past sessions and passwords against future compromises. Finally, user passwords are stored in a form that is not plaintext-equivalent to the password itself, so an attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host. This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and offers significantly improved performance over comparably strong extended methods that resist stolen-verifier attacks such as Augmented EKE or B-SPEKE.

View the paper in HTML or PostScript.
View the slides from the NDSS presentation.

T. Wu, SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, Submission to the IEEE P1363 Working Group, Oct 2002.

Abstract: This document addresses two specific security and operations issues with the Secure Remote Password Protocol, the first being the "two-for-one" active password guessing attack by an attacker posing as a server, and the second being the message ordering property which requires that the server wait for the client's exponential residue before sending its own. The effect that these improvements have on real-world implementations of SRP is also explored.

View the paper in PostScript.


Strong password protocols have been incorporated into a number of standards:

RFC 2945
RFC 5054
P1363.2IEC 11770-4
SPEKEP1363.2IEC 11770-4
AMPP1363.2IEC 11770-4

IETF Documents

RFC 2945
The SRP RFC describes the SRP authentication mechanism in detail. (local copy)

RFC 2944
A full description of the Telnet Authentication Option for SRP, based on RFC 2941, Telnet Authentication. (local copy)

RFC 5054
SRP-based ciphersuites in SSL/TLS for authentication and key exchange. (local copy)

A proposal for end-to-end encryption of XMPP traffic that uses TLS-SRP as one of the supported authentication mechanisms.

Using SRP with HIP (Host Identity Protocol)

A proposal for a secure password-based SASL (Simple Authentication and Security Layer) mechanism based on SRP. A sample implementation is available from the Cryptix project.

A proposal for SRP authentication in PPP that addresses plaintext-equivalence and eavesdropping attacks.

A proposal to the CAT (Common Authentication Technologies) IETF Working Group for SRP as a low-infrastructure GSS-API mechanism.

A proposal for leveraging the security of SRP as a strong user authentication mechanism in Secure Shell. This has already been adopted by LSH as a user authentication option.


The IEEE P1363 Working Group has started a Study Group entirely focused on strong password protocols. SRP, SPEKE, SNAPI, AuthA, and AMP are among the submissions that this group will evaluate for eventual standardization.