An RFC 5054-compatible SRP Client for Javascript.
JavaScript CSS HTML
Switch branches/tags
Nothing to show
Latest commit 5d3b61b Dec 25, 2015 @louismullie louismullie Merge pull request #10 from Vayu/master
Fix generator for 8192 group.

README.md

Javascript Client for the Secure Remote Protocol (SRP)

Warning: this is an alpha release and is not ready for production use. Peer review is appreciated.

This library implements a Javascript client for the SRP protocol. The client aims to be compatible with SRP revision 6A, as defined in RFC 5054 ("Using the Secure Remote Password (SRP) Protocol for TLS Authentication"). It is released under the MPL.

The code is directly based on Tom Wu's Javascript SRP demo, which is released under the SRP license.

Testing

This library is tested with Jasmine using the official test vectors from the SRP specification. The specs can be run by opening SpecRunner.html in your browser.

Usage

Configuration

As shown in the examples below, this library accepts 1024, 1536, 2048, 4096, 6144 and 8192-bit group parameters. The default is 1024 bits.

Registration Example

<html>

<head>
  
  <script type="text/javascript" src="jsbn.js"></script>
  <script type="text/javascript" src="sha1.js"></script>
  <script type="text/javascript" src="random.js"></script>
  <script type="text/javascript" src="srp-client.js"></script>

  <script type="text/javascript">

  var bits     =  2048;
  var username = 'username';
  var password = 'password';

  var srp = new SRPClient(username, password, bits);

  // 1. The client generates a random hex salt.
  var s = srp.randomHexSalt();
  
  // 2. The client calculates its verifier value.
  var v = srp.calculateV(salt);
  
  // 3. The client sends the username, salt and
  // verifier to the server, which stores all three.
  
  </script>

</head>

</html>

Authentication Example

<html>

<head>

  <script type="text/javascript" src="jsbn.js"></script>
  <script type="text/javascript" src="sha1.js"></script>
  <script type="text/javascript" src="sjcl.js"></script>
  <script type="text/javascript" src="srp-client.js"></script>

  <script type="text/javascript">
  
  var username = 'username';
  var password = 'password';

  var srp = new SRPClient(username, password, 2048);

  // 1. The client generates and stores A.
  var a = srp.srpRandom();
  var A = srp.calculateA(a);

  // 2. The client sends A to the server.
  
  // 3. The server receives A and generates B.
  var b = srp.srpRandom();
  var B = srp.calculateB(b);

  // 4. The client and the server both calculate U.
  var u = srp.calculateU(A, B);

  // 5. The client generates its premaster secret.
  var Sc = srp.calculateS(B, salt, u, a);
  
  // 6. The server generates its premaster secret.
  var Ss = srp.calculateServerS(A, v, u, b);

  // 7. The client and the server verify the secrets.
  console.log('Server and client secrets match:');
  console.log(Sc.toString() == Ss.toString());

  </script>

</head>

</html>

Further Reading

  • RFC 2945 - The SRP Authentication and Key Exchange System
  • RFC 5054 - Using the Secure Remote Password (SRP) Protocol for TLS Authentication

License

This library is released under the MPL.