bsrp
Version:
Secure Remote Password Protocol (SRP-6a) Implementation
46 lines (31 loc) • 1.91 kB
Markdown
`bsrp` is typescript implementation of the secure remote password (SRP) protocol, version 6a.
SRP is a type of password-authenticated key exchange (PAKE) that has a couple of excellent features for authentication.
It is used by 1Password, iCloud, AWS Cognito and more for login authentication.
## Why SRP?
The kind lads over at 1Password provided the following rationale for using SRP:
- authenticate without ever sending a password over the network.
- authenticate without the risk of anyone learning any of your secrets – even if they intercept your communication.
- authenticate both the identity of the client and the server to guarantee that a client isn’t communicating with an impostor server.
- authenticate with more than just a binary “yes” or “no”. You actually end up with an encryption key.
## B First SRP Flow
This implementation of the SRP-6a protocol requires just two API calls:
## What is different about B-first?
A B-first implementation of the SRP protocol reveals the public value B to the client before receiving the client's public value A and message. This flow is optimized for cloud-native APIs. The sister python library, also named `bsrp` is available for backend use [here]().
## Methods
`generateAPair()`: Returns public/private ephemeral A pair
```typescript
export interface APair {
ephemeralA: BigInteger;
publicA: BigInteger;
}
```
`processChallenge(identity, password, salt, ephemeralA, publicA, publicB)`: Returns message and private strong session key if calculations pass SRP-6a safety checks, else null
```typescript
export interface ProcessedChallenge {
message: BigInteger;
sessionKey: BigInteger;
}
```
`verifySession()`: Verifies the session and returns the evidence key if authentication is successful, else null