SRP -- SRP-6a Secure Remote Password protocol#
Implementation of the SRP-6a protocol (RFC 5054) for password-authenticated key exchange. Includes support for the 3072-bit group used by HomeKit.
Installation#
Install with opam:
$ opam install srp
If opam cannot find the package, it may not yet be released in the public
opam-repository. Add the overlay repository, then install it:
$ opam repo add samoht https://tangled.org/gazagnaire.org/opam-overlay.git
$ opam update
$ opam install srp
Usage#
Server setup (register a user)#
(* Server stores verifier, not the password *)
let salt = ""
let verifier =
Srp.compute_verifier ~salt ~username:"alice" ~password:"secret"
Client authentication#
let () = Crypto_rng_unix.use_default ()
(* Client side: generate A and ephemeral key; send (username, A) to server. *)
let client = Srp.Client.create ~username:"alice" ~password:"secret"
let big_a = Srp.Client.public_key client
(* Server receives (username, A), looks up salt+verifier; sends (salt, B). *)
let server = Srp.Server.create ~username:"alice" ~salt ~verifier
let big_b = Srp.Server.public_key server
(* Both derive the shared session key. *)
let () =
match
( Srp.Client.compute_session_key client ~salt ~big_b,
Srp.Server.compute_session_key server ~big_a )
with
| Ok client_key, Ok server_key ->
assert (String.equal client_key server_key)
| _ -> failwith "session key derivation failed"
API#
Srp.n/Srp.g-- 3072-bit group parametersSrp.compute_verifier-- Compute password verifier for server storageSrp.Client.v/Srp.Client.public/Srp.Client.session_key-- Client stateSrp.Server.v/Srp.Server.public/Srp.Server.session_key-- Server state
Reference#
- RFC 5054 -- Using SRP for TLS Authentication
Licence#
ISC