The SRP Project

The SRP Project was started in 1997 at Stanford University as an authentication system for a Java-based webtop project. Since then, it has evolved into a full-fledged Internet-wide Open Source project, with developers from around the world contributing to the Project. In addition, SRP has been deployed as a secure, free password authentication solution in commercial, non-commercial, and standalone configurations in universities, companies, and organizations worldwide.

The primary goal of the SRP Project is to provide standards, technologies, and implementations that improve password security of existing protocols and applications while preserving the ease-of-use associated with passwords and integrating cleanly with these systems. SRP accomplishes these objectives because it was designed with a number of considerations in mind.

Security - SRP was designed to protect passwords against both passive and active network attacks. The Project believes that open research and publication is more likely to produce a truly secure cryptosystem than proprietary, closed-source development. Since its introduction in 1997 and publication in 1998, SRP has been extensively analyzed and studied in the open, and all analysis to date has confirmed its security. We realize that password security is an active field of research and that SRP is subject to cryptanalytic advances against its underlying mathematical foundations (discrete logarithms).

Convenience - From the perspective of some users, the fact that SRP keeps password interfaces exactly the same while delivering secure authentication is perhaps the greatest of its technical advances. Until now, users have had to compromise - either put up with some added inconvenience or accept an imperfect security model. SRP advances the status quo in both directions, achieving the best of both worlds in one package.

Openness - With the increasing importance of Open Source software, it is important that cryptographic technology remain available to the freeware community. SRP is distributed on Open Source-friendly terms so that such projects can take advantage of the technology.

Simplicity - SRP is a drop-in replacement for weak password authentication. Instead of involving third parties, key servers, or a PKI, SRP is just a black box that accepts a password from the user and produces secure authentication and key-exchange as its result. Since it is a "better mousetrap" that doesn't require major interface changes, a wide range of products have been able to incorporate SRP instead of having it remain as a single, proprietary, monolithic entity.

Despite the availability of good security products on the marketplace for Intranet and Internet use, consumers have been slow to adopt them in any significant number and will continue to ignore them until they are well-integrated into the user's environment (e.g. Netscape and SSL). The SRP Project aims to attain that level of integration for password security, to make it "part of the operating system" so to speak.

The Open Source movement is an important part of this objective, because the ability of Open Source OSes to integrate new, freely-available technology is one of its greatest strengths. Because SRP can be incorporated into US-based software without being subject to export restrictions, this enables the level of universal password security that has the potential to benefit all users. Indeed, users of these OSes (e.g. Linux and OpenBSD) have expressed a great deal of interest in exactly this type of integration.

The Distribution

The SRP Distribution is a collection of applications and utilities that show off some of the capabilities of SRP authentication. Included are the original Java clients and servers, along with secure versions of Telnet and FTP based on the new Proposed Internet Standards for SRP. The Distribution is intended as a "proof-of-concept" to show how SRP integrates with existing code. Although the Distribution is designed to build and install on a wide variety of platforms, it is primarily intended to show developers how to integrate SRP authentication into native applications and to act as a reference to aid design and debugging.

Participate!

If you're interested in getting strong, universal password security that everyone can use, you can take an active role in realizing this goal.

Install and use SRP-enabled applications on your own client systems.
Install SRP-enabled server-side applications on systems you administer. Ask the admins to install SRP on systems you don't administer.
Participate on the SRP-DEV mailing list.
Contribute code and patches to the SRP distribution.
If your favorite client software doesn't yet support SRP, ask the vendor to add SRP support - they are generally good at listening to consumer demand.
Assist in development efforts to integrate SRP with existing applications and operating systems where possible.

The contributions of countless freeware developers have helped the SRP project immensely since the beginning, and it is necessary to acknowledge the important role that consumers have already played and will continue to play in raising the bar for universal network password security.

Back