The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not require a trusted third party. It effectively conveys a zero-knowledge password proof from the user to the server. In revision 6 of the protocol only one password can be guessed per connection attempt. One of the interesting properties of the protocol is that even if one or two of the cryptographic primitives it uses are attacked, it is still secure. The SRP protocol has been revised several times, and is currently at revision 6a. Wikipedia
- PHP >= 5.6
composer install && bower install
SRP Protocol Design
To give people example of using SRP in their applications.
public/assets/js/app and the PHP library code is in
The codebase includes a demonstration application which uses jQuery AJAX and RedBean
to register users into a SQLite database then authenticates them. SQLite attempts to write into the
of the website but the path can be edited in
src/Bootstrap.php. RedBean and SQLite are used for demonstration
purposes only and are not needed to use the core SRP library code.
If the authentication is successful then a PHP session variable
SRP_AUTHENTICATED is set to
This indicates that the session variables
SRP_SESSION_KEY have been authenticated.
sessionKey() and as a strong shared secret key
unique to the current authenticated session which could be used for further crypography.