JSRP is a pure JavaScript implementation of SRP-6A, the Secure Remote Password protocol, as defined in RFC 2945. It can be used in Node.js or the browser via Browserify. It uses SHA-256 by default for hashing, although it will support any of Node's hashing functions. It currently supports 2048 and 4096 bit parameters.
JSRP was written to make SRP simple to implement and work with from the browser and on the server. All high-level functions return hex strings that are easy to pass between server and client, as well as save. No need to waste time serializing and unserializing objects just to transmit them over the network.
To use JSRP in the browser, first add the script: (it can be downloaded from the Releases page.)
<script type="text/javascript" src="https://github.com/alax/jsrp/raw/master/jsrp-browser.js"></script>To use JSRP in Node, simply run:
npm install jsrpJSRP will be available from the jsrp global.
Just require the module:
var jsrp = require('jsrp');The example will run in Node or the browser, JSRP is completely compatible with both.
Example Registration Process:
var client = new jsrp.client();
client.init({ username: 'testUser', password: 'password123' }, function () {
client.createVerifier(function(err, result) {
// result will contain the necessary values the server needs to
// authenticate this user in the future.
sendSaltToServer(result.salt);
sendVerifierToServer(result.verifier);
});
});Example Login Process: (normally client and server wouldn't be in the same code, but the example is this way for the sake of brevity)
var client = new jsrp.client();
var server = new jsrp.server();
client.init({ username: 'username', password: 'password123' }, function() {
// Client instance is ready to be used here.
});
server.init({ salt: 'LONG_HEX_VALUE', verifier: 'EVEN_LONGER_HEX_VALUE' }, function () {
// Server instance is ready to be used here.
});
// Remember, both client and server must have called their
// init() callback before you can continue using them. The
// following functions would normally be called inside that
// callback.
cPubKey = client.getPublicKey();
server.setClientPublicKey(cPubKey);
salt = server.getSalt();
client.setSalt(salt);
sPubKey = server.getPublicKey();
client.setServerPublicKey(sPubKey);
client.getSharedKey() === server.getSharedKey() // will be trueClient methods:
init(options, callback)
options should be an object containing a username and a password. { username: 'username', password: 'password' }. You may also pass a length property, which will allow you to select the size of your parameters. It defaults to 4096.callback will be called when the client instance is ready to use.getPublicKey() -> Hex A value
setSalt(salt)
salt should be the hex string obtained from Server.getSalt(), this sets the client's internal salt value for later computations.setServerPublicKey(serverPublicKey)
serverPublicKey should be the hex representation of the server's B value, as returned from Server.getPublicKey(). When this function is called, provided the publicKey is valid, the client instance will compute the rest of the values needed internally to complete authentication. This will throw an error if the server provides an incorrect value, authentication MUST be aborted here.getSharedKey() -> Hex K value
getProof() -> Hex M1 value
checkServerProof(serverProof) -> Boolean
serverProof matches the client's own proof computation, false if it doesn't. serverProof can be obtained from Server.getProof(). This can only be called after getProof().getSalt() -> Hex salt
createVerifier() (see next item), or the salt that was passed via setSalt()createVerifier(callback) -> Hex V value
init()callback will be called once the verifier has been created, with two values, err, and object, where object looks like { verifier: HEX_STRING, salt: HEX_STRING } and is suitable for transmission to the server.Server methods:
init(options, callback)
options should be an object containing the hex representations of verifier and salt. These should be the values received from the initial client registration using Client.createVerifier(). You may also pass length, which allows you to select the size of your parameters.callback will be invoked once the server instance is ready to use.getPublicKey() -> Hex B value
getSalt() -> Hex salt value
init())setClientPublicKey(clientPublicKey)
clientPublicKey should be the hex value returned from Client.getPublicKey(). Assuming it's valid, the server will then compute the values necessary to complete authentication internally. This will throw an error if the client provides an incorrect value, authentication MUST be aborted here.getSharedKey() -> Hex K value
checkClientProof(clientProof) -> Boolean
clientProof matches the server's own proof computation, false if it doesn't. If this value is true, then the client has provided the correct password, and can be considered authenticated. If it's false, the client used the wrong password. clientProof is the hex string obtained from Client.getProof()getProof() -> Hex M2 value
checkClientProof().In either scenario, if you'd like to interact with the SRP protocol implementation directly, the SRP object will be available on the client/server object after running init(). You can access it using clientObj.srp or serverObj.srp. The intermediate values calculated by the client and server are also available on the objects themselves as well.
First, install the dependencies:
npm installAlso, you will need Mocha and CoffeeScript if you don't have them already:
npm install -g mocha coffee-scriptThen simply run:
npm testTo build JSRP for the browser, you will need Browserify and CoffeeScript:
npm install -g browserify coffee-scriptThen run the following commands inside the JSRP directory:
coffee --compile --output lib src
browserify jsrp.js --standalone jsrp > jsrp-browser.jsJSRP would not exist if it wasn't for Node-SRP: https://github.com/mozilla/node-srp. They provided a solid reference implementation, but JSRP was born out of wanting a reliable browser implementation as well as server implementation.