I am considering implementing the Secure Remote Password protocol to conduct a zero-knowledge password proof between the browser and my web application. The SRP website provides an example, but it requires java to perform calculations. I am wondering whether it is possible to implement SRP using javascript without the use of Java, as I do not want to require my users to have Java installed, particularly as my audience will be a security conscious one which would potentially consider the risk of having the java plugin enabled a greater risk to their security than a zero-knowledge password proof.

Here is the link to their demo: /

I am considering implementing the Secure Remote Password protocol to conduct a zero-knowledge password proof between the browser and my web application. The SRP website provides an example, but it requires java to perform calculations. I am wondering whether it is possible to implement SRP using javascript without the use of Java, as I do not want to require my users to have Java installed, particularly as my audience will be a security conscious one which would potentially consider the risk of having the java plugin enabled a greater risk to their security than a zero-knowledge password proof.

Here is the link to their demo: http://srp.stanford.edu/demo/

• javascript
• html
• cryptography
• srp-protocol

Share Improve this question Follow edited Dec 31, 2014 at 18:01 simbo1905 6,88255 gold badges6262 silver badges9494 bronze badges asked Mar 22, 2014 at 2:36 Matt EskridgeMatt Eskridge 1,0301010 silver badges2424 bronze badges 6

• 2 Possibly of interest: matasano./articles/javascript-cryptography – ntoskrnl Commented Mar 22, 2014 at 14:39
• 1 +1 for using Thomas Wu's Secure Remote Password (SRP). I really like that protocol. It provides mutual authentication, channel binding, and is based on Diffie-Hellman. Another you might be interested in is Preshared Key (PSK). It also provides mutual authentication and channel binding, but its based on a block cipher like AES. They are available is SSL, but they are rarely used: TLS_SRP and TLS-PSK. – jww Commented Mar 24, 2014 at 18:48
• 1 I will look into that protocol. Unfortunately, I may not end up using SRP, as I do not want to make the java plugin a requirement for users due to its poor security record. – Matt Eskridge Commented Mar 24, 2014 at 19:09
• 1 Another fellow is suffering similar at different Session Keys in SRP6a. – jww Commented Mar 25, 2014 at 23:53
• There are a wide variety of problems with JavaScript and cryptography. The selected answer mentions a few of the projects working on it, but none can solve some of the fundamental trust issues, ref: nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/… – amcgregor Commented Oct 9, 2017 at 18:29

 |  Show 1 more ment

3 Answers 3

Sorted by: Reset to default 4

I am wondering whether it is possible to implement SRP using javascript without the use of Java,

If you are looking for a standardized method, the answer in NO.

The WebCrypto Working Group is standardizing things now for some crypto operations. However, the WG has already stated they will not provide access to the underlying BigInt primitives needed for the modular operations, so you won't have the primitives you need in the first release. You may get it in a subsequent release. See Question on BigInteger operations from their mailing list.

Update: the WebCrypto Working Group is not going to provide Diffie-Hellman as part of the standard, either. And the Chrome team is not even going to provide Diffie-Hellman as an extension. They claim there are no use cases or demand for Diffie-Hellman, either. See Diffie-Hellman in WebCrypto from their mailing list.

You might be able to find it in a Javascript library, but I would expect it to be slow (or slower than a native implementation).

---

Related, keep in mind that the same folks who are denying you BigInts and Diffie-Hellman are the same folks who decreed "interception is a valid use case" in the browser security model.

And they are the same folks who broke RFC 7469 Public Key Pinning Extension for HTTP. For a detailed mentary, see Comments on draft-ietf-websec-key-pinning. Worse, when they were called-out for providing the overrides and breaking the secure channel, they changed the language in Draft 21 to Final to make it even more obscure and hidden away.

I use an SRP client in KeeFox. It's a Firefox add-on so has fewer issues with backwards patibility, cross-browser support, etc. I imagine a slightly modified version would work in most modern browsers though.

It is slow but still fast enough for the occasional use it gets (maximum of once per Firefox session).

I took inspiration from http://code.google./p/srp-js/

You can see the end result at https://github./luckyrat/KeeFox/blob/master/Firefox%20addon/KeeFox/modules/SRP.js

For my purposes I have optimised away a round-trip but you'll have to assess your own use case to determine whether my specific implementation would be secure.

I had trouble with the first couple of BigInteger libraries I tried (most seem to be faulty for the operations required by SRP) but settled on https://github./luckyrat/KeeFox/blob/master/Firefox%20addon/KeeFox/modules/biginteger.js

I've just had a fresh look into native BigInteger support and it still doesn't look like there are any options.

From a firefox addon perspective, I am wondering whether js-ctypes could give access to some Firefox internals that would allow me to speed things up a bit but I've seen my only previous use of ctypes break patibility with 2 out the 10 Firefox versions that have been released since implementation so I'm wary of using them unless it bees essential.

Thinbus which is on npm at https://www.npmjs./package/thinbus-srp has a pure javascript client library which performs SRP to a java server (Edit or a PHP server). If you are not using java or PHP in your web it should be fairly straight forward to port the server logic to your web application as it is only using standard SHA256 hashing and BigInteger math which will be available in other languages.