The Secure Remote Password Protocol, in Proceedings of
the 1998 Internet Society Network and Distributed System Security
Symposium, San Diego, CA, Mar 1998, pp. 97-111.
This paper presents a new password authentication and key-exchange protocol
suitable for authenticating users and exchanging keys over an untrusted
The new protocol resists dictionary attacks mounted by either passive or
active network intruders, allowing, in principle, even weak passphrases to be
It also offers perfect forward secrecy, which protects past sessions and
passwords against future compromises.
Finally, user passwords are stored in a form that is not plaintext-equivalent
to the password itself, so an attacker who captures the password database
cannot use it directly to compromise security and gain immediate access to the
This new protocol combines techniques of zero-knowledge proofs with asymmetric
key exchange protocols and offers significantly improved performance over
comparably strong extended methods that resist stolen-verifier attacks such as
Augmented EKE or B-SPEKE.
View the paper in HTML or
View the slides from the NDSS presentation.
T. Wu, SRP-6: Improvements and Refinements to the Secure Remote Password Protocol, Submission to the IEEE P1363 Working Group, Oct 2002.
This document addresses two specific security and operations issues
with the Secure Remote Password Protocol,
the first being the "two-for-one" active password guessing attack
by an attacker posing as a server,
and the second being the message ordering property which requires
that the server wait for the client's exponential residue
before sending its own.
The effect that these improvements have on real-world
implementations of SRP is also explored.
View the paper in PostScript.
Strong password protocols have been incorporated into a number of standards:
- RFC 2945
- The SRP RFC describes the SRP authentication mechanism in detail.
- RFC 2944
- A full description of the Telnet Authentication Option
for SRP, based on RFC 2941, Telnet Authentication.
- RFC 5054
- SRP-based ciphersuites in SSL/TLS
for authentication and key exchange.
- A proposal for end-to-end encryption of XMPP traffic
that uses TLS-SRP as one of the supported
- Using SRP with HIP (Host Identity Protocol)
- A proposal for a secure password-based SASL
(Simple Authentication and Security Layer) mechanism
based on SRP.
A sample implementation is available from the
- A proposal for SRP authentication in PPP that addresses
plaintext-equivalence and eavesdropping attacks.
- A proposal to the CAT (Common Authentication Technologies) IETF
Working Group for SRP as a low-infrastructure GSS-API mechanism.
- A proposal for leveraging the security of SRP as a strong
user authentication mechanism in Secure Shell.
This has already been adopted by LSH as a user
IEEE P1363 WG
The IEEE P1363 Working Group
has started a
entirely focused on strong password protocols.
SRP, SPEKE, SNAPI, AuthA, and AMP are among the submissions that this
group will evaluate for eventual standardization.