README
¶
Secure Remote Password protocol
This is a library implementing the SRP protocol as defined in RFC 2945 (partially) and in the RFC 5054 for the TLS integration.
Usage
- Initialization phase
The server has to register all username and password that it is expected to server. The password are not stored directly, but the hash with salt. The example here use an implemented local memory store.
// enter the creds
db := NewMapLookup()
// password never stored in clear (hashed with salt)
db.Add("Serge","Karamazov",Group4096)
server := NewServerInstance(db)
- Exchange
server:
// give the username to the server
mat,err := server.KeyExchange("Serge",nil)
if err != nil {
panic(err)
}
client:
// give the material to the client
// password is not kept in memory, it's directly hashed with salt.
client,err := NewClient("Serge","Karamazov"
if err != nil {
panic(err)
}
keyC,A,err := client.KeyExchange(mat)
if err != nil {
panic(err)
}
// keyC is the actual KEY derived :)
server:
keyS,err := server.Key(A)
if err != nil {
panic(err)
}
// keyS is the actual KEY derived :)
Differences with the RFC 5054
- The hash function used here is SHA256 instead of SHA-1
- The number of groups allowed is reduced (1024 and 2048 bit size are dropped)
Open questions
- field elements size ? a & b. Set to RandSize = 64
License
MIT License. See LICENSE file.
Documentation
¶
Index ¶
Constants ¶
const MaxUserSize = 255
MaxUserSize is the maximum size an username can be, inclusive.
const MinUserSize = 3
MinUserSize is the minimum size an username must be, inclusive.
const RandSize = 32
RandSize is the size of the random numbers generated by the client and server Taken from tlslite implementation.
const SaltSize = 16
SaltSize is the size of the salt to generate in bytes. Taken from tlslite implementation.
Variables ¶
var ErrInvalidGroup = errors.New("srp: invalid group parameters")
var ErrUnknownGroup = errors.New("srp: unknown group parameters")
var ErrUnknownUser = errors.New("username provided is not known")
var HashFunc = sha256.New
The hashing function used for the SRP protocol. NOTE: It might be adding an extra security layer to convert it to Argon2 for example later.
var Rand io.Reader
Rand is the reader used to generate randomness for the salt and the points in the exchange. By default, it is set to `crypto/rand.Reader`.
Functions ¶
This section is empty.
Types ¶
type Client ¶
func NewClient ¶
NewClient returns a client that is able to proceed on the SRP protocol. It consumes the password into a hash function so there's no storage of it.
func (*Client) KeyExchange ¶
func (c *Client) KeyExchange(m *ServerMaterial) (key, A []byte, err error)
Material uses the server materials to generate the random component A from the client as in 2.6 https://tools.ietf.org/html/rfc5054#page-8 It returns the shared key, the public part A to send to server, or an error otherwise. It can return ErrInvalidGroup is the group parameters are invalid.
type Group ¶
Group structure holding the base generator point and the prime number
var ( //Group1024 Group //Group1536 Group //Group2048 Group Group3072 Group Group4096 Group Group6144 Group Group8192 Group )
SRP groups defined in RFC 5054.
func CreateGroup ¶
type MapLookup ¶
func NewMapLookup ¶
func NewMapLookup() *MapLookup
type ServerInstance ¶
ServerInstance is a struct following the protocol FOR ONE USER
func NewServerInstance ¶
func NewServerInstance(lookup Lookup) *ServerInstance
func (*ServerInstance) Key ¶
func (s *ServerInstance) Key(A []byte) ([]byte, error)
Key returns the shared key given the A public client's information or an error if A is wrong or suspicious.
func (*ServerInstance) KeyExchange ¶
func (s *ServerInstance) KeyExchange(username string, fakeSalt []byte) (*ServerMaterial, error)
KeyExchange proceeds to the key exchange part from the server's point of view. It computes B = k * v + g^b % N and returns the information needed by the Client to pursue. fakseSalt is used when the username is invalid: in that case, the server will simulate computation as usual in order to avoid timing attacks. If fakeSalt is nil, it directly returns and do NO DO this fake computations. In any cases, if the username is invalid, it returns ErrUnknownUser.
type ServerMaterial ¶
type Verifier ¶
type Verifier struct {
// the actual group element. Encoded as big.Int which by default uses
// big endianness format.
Hash []byte
// Salt
Salt []byte
}
Verifier contains H(salt || (username:password)). It is suitable for writing/reader from most of encoding schemes (json).
func NewVerifier ¶
NewVerifier returns a new verifier out of the username and the related password. The password can be discarded after as there is no need to store it. http://tools.ietf.org/html/rfc5054#section-2.4
Source Files