Advantages and Benefits of SRP
Although SRP's main claim to fame is its improved security relative
to existing password authentication mechanisms, SRP actually offers
advantages in several other areas as well.
First, though, we discuss the security implications.
In a nutshell, here are some of the properties that make SRP a
strong authentication protocol:
The last three issues are what I call the "Big-3" of password
authentication, and they are discussed in greater detail on a
They are, as a rule, difficult constraints to satisfy.
If one considers only protocols that resist dictionary attacks
(the first constraint), one is left with the EKE family of
protocols and a few other public-key assisted protocols.
If one also requires perfect forward secrecy, that leaves only
the strongest of the EKE family protocols, like DH-EKE and SPEKE.
When one throws in the final requirement for non plaintext-equivalence,
one is left finally with the null set.
- SRP is safe against snooping. The password is never passed
over the network, either in the clear or encrypted.
- SRP is immune to replay attacks. None of the information
exchanged during authentication can be re-used to gain access
to a server using SRP.
- SRP exchanges a session key in the process of authentication.
This key can be used to encrypt the user's login session and
protect it from both snooping and malicious active attack.
- SRP can provide mutual authentication.
This requires both sides to keep their secrets secure, obviously.
- SRP resists the dreaded off-line dictionary attack based on
exchanged messages. The traffic exchanged over the network
is insufficient to verify a guess of a user's password.
- SRP offers perfect forward secrecy. A compromised password will
not allow an intruder to decrypt past sessions. A compromised
session key will not allow an intruder to find out a password.
This includes resistance to the infamous Denning-Sacco
attack; a compromised session key will not permit an attacker
to mount a dictionary attack against the password.
- SRP can tolerate a compromise of the verifier database on
Although such a compromise may enable some attacks against
the system (dictionary attack, host impersonation),
it is not necessarily catastrophic, because the password entries
can only be used for verification of a user's password
(i.e. they are not plaintext-equivalent to the actual passwords).
They can not be used by an intruder to gain direct access to a
Until now, that is.
SRP has been demonstrated to satisfy all three of the "Big-3"
To date, protocols that satisfy even two of the three requirements
are considered rare, especially if non-plaintext-equivalence is one
of the two.
SRP's security advantages make it uniquely suited for use in a wide
variety of environments, especially those where vulnerability to
any one of the "Big-3" attacks would have been problematic.
In a nutshell, SRP-3 is the "right" way to do password authentication.
All other known direct authentication mechanisms are demonstratably
inferior to it, either by being less secure, less convenient, or slower.
It gives the maximum possible security obtainable with a simple
password, and it can be easily layered on top of other security
services to create a more bulletproof security model.
Aside from purely security-related benefits, SRP has a number of
technical and practical advantages that make it an versatile protocol.
Practical prototypes of networked utilities that support SRP have
already been built and tested.
Because of SRP's relative simplicity, the prototypes have proven
to be robust and fairly bug-free, not to mention fast.
SRP is at or near the most of the theoretical limits of strong
It is believed that three messages is the absolute minimum number
of messages required for strong authentication; SRP uses four
(not counting the identity and parameter messages in either case),
but the last one is required only if mutual authentication is desired.
- SRP is a fairly simple protocol.
SRP involves little more than exponentiation, addition,
multiplication, and hashing, all of which are easily
understood and implemented.
- SRP is fast.
It is a commonly accepted article of faith that strong
authentication protocols must perform some form of slow
public-key computation during authentication.
SRP runs as quickly as a conventional, anonymous Diffie-Hellman
key exchange, and many of the optimizations that work with D-H
can be applied to SRP, e.g. parallelizing operations to minimize
Typical unoptimized implementations have been shown to
take under a second to complete authentication.
- SRP is easy to standardize, implement, and debug.
Since SRP is based on a set of simple operations, it is
fairly easy to find existing code that performs the
component functions and integrate it into any client
Also, since SRP is fairly economical with respect to network
traffic, it is fairly easy to specify and standardize for
The messages are all easy to characterize and are fairly
specific in nature.
An SRP API library consisting of simple file and session manipulation
primitives has been written, and the
current prototypes have been built using it.
SRP lends itself readily to small implementations and short, compact
Internet drafts for the Telnet and FTP protocol extensions have
already been written.
Organizations and standards bodies should find SRP fairly easy to
adopt and integrate into existing specifications and code.
While the security of a protocol should be the primary concern of
anyone who is considering its use,
legal and policy issues should not be overlooked.
In this area, SRP also has some appealing advantages for potential
Patents, trademarks, and export regulations have all conspired
to make the creation and distribution of cryptographic products
more difficult than they should be.
SRP is my attempt at opening up access to secure password authentication
systems and allowing them to become more widespread.
A simple, secure authentication mechanism that is clear of RSADSI
intellectual property, not export regulated by the U.S. Commerce
Department, and free for non-commercial use would be ideal for
free software makers, who have long been at a disadvantage relative
to large companies who could generally afford the steep licensing
fees and the overhead of obtaining export approval.
- SRP is free for non-commercial use.
As the inventor of SRP, I have decided to make it free for
all non-commercial implementations.
Most of the other strong protocols discussed previously are
protected by patents held by various large corporations, most of
whom are more interested in collecting license fees than
encouraging the spread of strong password authentication.
- SRP does not use encryption to perform authentication.
This is an important distinction in SRP's favor.
While protocols in the EKE family, for example, depend on
symmetric ciphers, SRP requires only modular arithmetic and
one-way hash functions.
Since no encryption is employed, SRP is not affected by
U.S. export regulations and can be freely transferred in and
out of the U.S.
- SRP does not use RSA or any other RSADSI intellectual property.
In fact, SRP does not use any public-key cryptosystems or
digital signature schemes at all.
It is based entirely on arithmetic and hashing, both of which
can be done with freely-available code and algorithms.
Thus, entirely free implementations of SRP can and have been