forked from baryluk/srp_php
phipear/srp_php
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Secure Remote Password protocol.
This is simple MySQL + PHP application which also uses JavaScript,
to perform two-way auhentication.
Features:
It is secure for both sides.
It do not need certificates or certification authorities
(beside initial account creation, which is almost always
safer than day-to-day usage, and can be done using
secondary channels, like telephone, or other system).
It is brute-force and replay attack resilent.
It establishes strong common session encryption key.
It makes offline attacks almost impossible.
It do not store plain text passwords on tht database,
and database cannot be used even break into the same system
or systems with same login / password pairs.
It do not leak any informations to the not trusted servers,
and to not trusted users.
It is better than plain text passwords, it is better than hashed
passwords, it is better than salted passwords, it is better than
chalenge-response schemes, it is better than Diffie-Helman authentification,
it is better than public key systems. One of the best cryptographic
protocols ever.
We use SHA-256 (and its -HMAC version) as basic cryptographic primitive,
and use GMP (GNU Multiprecission library) for PHP to perform
large number arithmetic. We use scrypt-inspired key derivation
(password strenghtening) from password.
It is just a proof of concept, good for didactic purposes.
Do not use in production systems. Can contain bugs,
as well can be vorunable to side-channel attacks using time based
methods. It also do not solve how client-side code is distributed
to the client (probably using SSL based HTTP, with trusted
certificates, for example on trusted third-party server).
Please rather vote for a native TLS-SRP support in
browsers: Mozilla Firefox, Chromium, Opera, etc.,
and libraries: OpenSSL, GNUTLS, NSS.
Copytright: Witold Baryluk, June 2009
Links:
http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
http://srp.stanford.edu/
http://tools.ietf.org/html/rfc2945
http://tools.ietf.org/html/rfc5054
http://grouper.ieee.org/groups/1363/
http://en.wikipedia.org/wiki/TLS-SRP
http://trustedhttp.org/ patches for libs (GnuTLS, OpenSSL, NSS, Python), servers (apache), and clients (curl, Firefox, Chrome)
About
Simple implementation of Secure Remote Password protocol in PHP and Javascript
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- PHP 100.0%