README
¶
Secure Remote Password (SRP 6a) implementation for GO
Secure Remote Password protocol (SRP 6a, SRP) is an augmented password-authenticated key agreement (PAKE) protocol, that works around existing patents. The protocol provides a means of key exchange between a client and a server without ever sending the password across the wire.
SRP performs secure remote authentication of short human-usable passwords and resists both passive and active network attacks. SRP is the most widely used and standardized protocol of its type. It offers:
- Freedom from restrictive licenses. This implementation is MIT and BSD licensed.
- Free of patent restrictions.
- Provides strong authentication.
- Standardized.
- Widely used.
This implementation has examples of using it in Go (golang), JavaScript and will soon include an example in Swift on iOS.
According to wikipedia:
"Like all PAKE protocols, an eavesdropper or man in the middle cannot obtain enough information to be able to brute force guess a password without further interactions with the parties for each guess. This means that strong security can be obtained using weak passwords. Furthermore, being an augmented PAKE protocol, the server does not store password-equivalent data. This means that an attacker who steals the server data cannot masquerade as the client unless they first perform a brute force search for the password."
"In layman's terms, given two parties who both know a password, SRP (or any other PAKE protocol) is a way for one party (the "client" or "user") to demonstrate to another party (the "server") that they know the password, without sending the password itself, nor any other information from which the password can be broken, short of a brute force search."
References
License
./big is based on Go source code and is licensed accordingly.
All of the rest of the code is MIT licensed. See LICENSE file.
Documentation
¶
Index ¶
- func GenRandBytes(nRandBytes int) (buf []byte, err error)
- func GenRandNumber(nDigits int) (buf string, err error)
- func MatchPassword(password string, phash PasswordHash) bool
- func Pbkdf2(password []byte, salt []byte, iterations int, hash func() hash.Hash, ...) (out []byte)
- func SessionKey(rawkey []byte, keylen int) []byte
- func Verifier(I, p []byte, bits int) (Ih, salt, v []byte, err error)
- type GoSrp
- func (gs *GoSrp) CalculateA() string
- func (gs *GoSrp) CalculateM2(ClientM1 string) (auth bool, M2_s string)
- func (gs *GoSrp) FixRandom(rval string)
- func (gs *GoSrp) GenerateVerifier(username, password string) (verifier string, salt string)
- func (gs *GoSrp) IssueChallenge(A_s string)
- func (gs *GoSrp) Setup(verifier string, salt string)
- func (gs *GoSrp) TestDump1()
- func (gs *GoSrp) TestDump2()
- func (gs *GoSrp) TestDump3()
- func (gs *GoSrp) TestDump4()
- type PasswordHash
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenRandBytes ¶
func GenRandNumber ¶
func MatchPassword ¶
func MatchPassword(password string, phash PasswordHash) bool
func Pbkdf2 ¶
func Pbkdf2(password []byte, salt []byte, iterations int, hash func() hash.Hash, outlen int) (out []byte)
Calculate password hash with PKCS#5 PBKDF2 method using the given hash function as HMAC.
func SessionKey ¶
Generate a session key from the raw key
Types ¶
type GoSrp ¶
type GoSrp struct {
State int
XBits int
Auth bool
//
Key_s string
Salt_s string
XA_s string
Xa_s string
XB_s string
Xb_s string
XHAMK_s string
XI_s string
Xk_s string
XM1_s string
XM2_s string
XS_s string
Xu_s string
Xv_s string
XN_s string
Xg_s string
//
Salt *big.Int
XA *big.Int
Xa *big.Int
Xavu *big.Int
XB *big.Int
Xb *big.Int
Xg *big.Int
Xk *big.Int
XN *big.Int
XS *big.Int
Xu *big.Int
Xv *big.Int
// contains filtered or unexported fields
}
func (*GoSrp) CalculateA ¶
func (*GoSrp) CalculateM2 ¶
Input M1 (from client), A, K
func (*GoSrp) GenerateVerifier ¶
func (*GoSrp) IssueChallenge ¶
------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------- /api/spr_challenge Input:
A
Output:
M1, B
func (*GoSrp) Setup ¶
/api/spr_login match with __construct *_s is base 16 string representation of value. Names are prefixed with 'X' to make them searchable in code. set Salt, Salt_s
Xv, Xv_s
Xk, Kx_s = Hash( XN || Xg )
Xb, Xb_s = random value, checked for unlikely error
func (*GoSrp) TestDump1 ¶
func (gs *GoSrp) TestDump1()
echo "ST/bits= [{$this->ST}/{$this->bits}]\n\n"; echo "verifier= [{$this->verifier}]\n\n"; echo "salt= [{$this->salt}]\n\n"; echo "Nhex= [{$this->Nhex}]\n\n"; echo "g= [{$this->g}]\n\n"; echo "khex= [{$this->khex}]\n\n"; echo "vhex= [{$this->vhex}]\n\n"; echo "key= [{$this->key}]\n\n"; echo "bhex= [{$this->bhex}]\n\n"; echo "Bhex= [{$this->Bhex}]\n\n";
func (*GoSrp) TestDump2 ¶
func (gs *GoSrp) TestDump2()
echo "Simulated Client\n\n"; echo "ST/bits= [{$this->ST}/{$this->bits}]\n\n"; echo "ahex= [{$this->ahex}]\n\n"; echo "Ahex= [{$this->Ahex}]\n\n";
type PasswordHash ¶
func HashPassword ¶
func HashPassword(password string) (out PasswordHash)
Call Pbkdf2 password hash with reasonable defaults (9999 iterations + SHA1 + 64 bytes output).
func HashPasswordWith ¶
func HashPasswordWith(salt []byte, password string) (out PasswordHash)
Call Pbkdf2 with reasonable defaults (9999 iterations + SHA1 + 64 bytes output).
Source Files
Directories