Browser-Based SRP without Java

Question

I am considering implementing the Secure Remote Password protocol to conduct a zero-knowledge password proof between the browser and my web application. The SRP website provides an example, but it requires java to perform calculations. I am wondering whether it is possible to implement SRP using javascript without the use of Java, as I do not want to require my users to have Java installed, particularly as my audience will be a security conscious one which would potentially consider the risk of having the java plugin enabled a greater risk to their security than a zero-knowledge password proof.

Here is the link to their demo: http://srp.stanford.edu/demo/

Answer 1

I am wondering whether it is possible to implement SRP using javascript without the use of Java,

If you are looking for a standardized method, the answer in NO.

The WebCrypto Working Group is standardizing things now for some crypto operations. However, the WG has already stated they will not provide access to the underlying BigInt primitives needed for the modular operations, so you won't have the primitives you need in the first release. You may get it in a subsequent release. See Question on BigInteger operations from their mailing list.

Update: the WebCrypto Working Group is not going to provide Diffie-Hellman as part of the standard, either. And the Chrome team is not even going to provide Diffie-Hellman as an extension. They claim there are no use cases or demand for Diffie-Hellman, either. See Diffie-Hellman in WebCrypto from their mailing list.

You might be able to find it in a Javascript library, but I would expect it to be slow (or slower than a native implementation).

---

Related, keep in mind that the same folks who are denying you BigInts and Diffie-Hellman are the same folks who decreed "interception is a valid use case" in the browser security model.

And they are the same folks who broke RFC 7469 Public Key Pinning Extension for HTTP. For a detailed commentary, see Comments on draft-ietf-websec-key-pinning. Worse, when they were called-out for providing the overrides and breaking the secure channel, they changed the language in Draft 21 to Final to make it even more obscure and hidden away.

Answer 2

I use an SRP client in KeeFox. It's a Firefox add-on so has fewer issues with backwards compatibility, cross-browser support, etc. I imagine a slightly modified version would work in most modern browsers though.

It is slow but still fast enough for the occasional use it gets (maximum of once per Firefox session).

I took inspiration from http://code.google.com/p/srp-js/

You can see the end result at https://github.com/luckyrat/KeeFox/blob/master/Firefox%20addon/KeeFox/modules/SRP.js

For my purposes I have optimised away a round-trip but you'll have to assess your own use case to determine whether my specific implementation would be secure.

I had trouble with the first couple of BigInteger libraries I tried (most seem to be faulty for the operations required by SRP) but settled on https://github.com/luckyrat/KeeFox/blob/master/Firefox%20addon/KeeFox/modules/biginteger.js

I've just had a fresh look into native BigInteger support and it still doesn't look like there are any options.

From a firefox addon perspective, I am wondering whether js-ctypes could give access to some Firefox internals that would allow me to speed things up a bit but I've seen my only previous use of ctypes break compatibility with 2 out the 10 Firefox versions that have been released since implementation so I'm wary of using them unless it becomes essential.

Answer 3

Thinbus which is on npm at https://www.npmjs.com/package/thinbus-srp has a pure javascript client library which performs SRP to a java server (Edit or a PHP server). If you are not using java or PHP in your web it should be fairly straight forward to port the server logic to your web application as it is only using standard SHA256 hashing and BigInteger math which will be available in other languages.