https://github.com/idlesign/srptools
Tools to implement Secure Remote Password (SRP) authentication
SRP is a secure password-based authentication and key-exchange protocol - a password-authenticated key agreement protocol (PAKE).
This package contains protocol implementation for Python 2 and 3.
You may import it into you applications and use its API or you may use
srptools
command-line utility (CLI):
Command-line utility requires click
package to be installed.
Basic scenario:
> srptools get_user_data_triplet > srptools server get_private_and_public > srptools client get_private_and_public > srptools client get_session_data > srptools server get_session_data
Help is available:
> srptools --help
Preliminary step. Agree on communication details:
from srptools import SRPContext
context = SRPContext('alice', 'password123')
username, password_verifier, salt = context.get_user_data_triplet()
prime = context.prime
gen = context.generator
Simplified workflow:
from srptools import SRPContext, SRPServerSession, SRPClientSession
# Receive username from client and generate server public.
server_session = SRPServerSession(SRPContext(username, prime=prime, generator=gen), password_verifier)
server_public = server_session.public
# Receive server public and salt and process them.
client_session = SRPClientSession(SRPContext('alice', 'password123', prime=prime, generator=gen))
client_session.process(server_public, salt)
# Generate client public and session key.
client_public = client_session.public
# Process client public and compare session keys.
server_session.process(client_public, salt)
assert server_session.key == client_session.key
Extended workflow
from srptools import SRPContext, SRPServerSession, SRPClientSession
# Receive username from client and generate server public.
server_session = SRPServerSession(SRPContext(username, prime=prime, generator=gen), password_verifier)
server_public = server_session.public
# Receive server public and salt and process them.
client_session = SRPClientSession(SRPContext('alice', 'password123', prime=prime, generator=gen))
client_session.process(server_public, salt)
# Generate client public and session key proof.
client_public = client_session.public
client_session_key_proof = client_session.key_proof
# Process client public and verify session key proof.
server_session.process(client_public, salt)
assert server_session.verify_proof(client_session_key_proof)
# Generate session key proof hash.
server_session_key_proof_hash = client_session.key_proof_hash
# Verify session key proof hash received from server.
assert client_session.verify_proof(server_session_key_proof_hash)
srptools.constants
contains basic constants which can be used withSRPContext
for server and client to agree upon communication details..process()
methods of session classes may raiseSRPException
in certain circumstances. Auth process on such occasions must be stopped..private
attribute of session classes may be used to restore sessions:server_private = server_session.private # Restore session on new request. server_session = SRPServerSession(context, password_verifier, private=server_private)
SRPContext
is rather flexible, so you can implement some custom server/client session logic with its help.Basic values are represented as hex strings but base64 encoded values are also supported:
server_public = server_session.public_b64 # Receive server public and salt and process them. client_session = SRPClientSession(SRPContext('alice', 'password123', prime=prime, generator=gen)) client_session.process(server_public, salt, base64=True) # Use srptools.hex_from_b64() to represent base64 value as hex. server_public_hex = hex_from_b64(server_public)
- RFC 2945 - The SRP Authentication and Key Exchange System
- https://tools.ietf.org/html/rfc2945
- RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication
- https://tools.ietf.org/html/rfc5054