Features

• Mutual handshake - validates server on login
• Using strong cryptography
• No eavesdropping on the network
• Challange response prevents replay attacs
• Seeding prevents dictionary attacs on the server

Resources

Official website at Stanford

Wikipedia Article on SRP

Libraries and Implementations:

• C library with telnet and ftp (scroll down)
• Open SSL patches
• Java and C# implementations

1. Signup

Your browser transfers an encrypted verifier based your password. But it does not send the password itself.

<% if @user %>

You are signed up as <%= @user.login %>.

<% end %> <%= button_link(:signup, :primary => !@user) %>

2. Login

You enter your password - your browser exchanges encrypted data with the site to check if it was the right one.

<% if @user && @user.active %>

You are logged in.

<% end %> <%= button_link(:login, :primary => @user && !@user.active) %>

3. Verify

You can see from the logs that your password was not send. The login process is different each time so it can't be replayed.

<%= button_link(:verify, :primary => @user && @user.active) %>