Example: Strong Password Authentication using SRP
There are numerous strong-password algorithms that could be used. The description below is an excerpt from the SRP home page, one of several candidate methods.
---------------------------------------------------------------------------------------------------------------------------------------------
SRP is a secure password authentication protocol. It solves the problem of authenticating clients to servers securely, in cases where the client must memorize a small secret (like a password) and carries no other secret information, and where the server carries a verifier which allows it to authenticate the client but which, if compromised, would not allow someone to impersonate the client.
Many password authentication solutions claim to solve this exact problem, and new ones are constantly being proposed. Although one can claim security by devising a protocol that avoids sending the plaintext password unencrypted, it is much more difficult to devise a protocol that remains secure when:
- Attackers have complete knowledge of the protocol.
- Attackers have access to a large dictionary of commonly used passwords.
- Attackers can eavesdrop on all communications between client and server.
- Attackers can intercept, modify, and forge arbitrary messages between client and server.
- A mutually trusted third party is not available.