Transport Layer Security Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in secu ...

Secure Remote Password (TLS-SRP) ciphersuites are a set of

cryptographic protocol A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol descr ...

s that provide secure communication based on

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s, using an SRP password-authenticated key exchange. There are two classes of TLS-SRP ciphersuites: The first class of cipher suites uses only SRP authentication. The second class uses SRP authentication and

public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the ...

s together for added security. Usually, TLS uses only

s for authentication. TLS-SRP uses a value derived from a password (the SRP verifier) and a salt, shared in advance among the communicating parties, to establish a TLS connection. There are several possible reasons one may choose to use TLS-SRP: * Using password-based authentication does not require reliance on certificate authorities. * The end user does not need to check the URL being certified. If the server does not know data derived from the password then the connection simply cannot be made. This prevents

Phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...

. * Password authentication is less prone than certificate authentication to certain types of configuration mistakes, such as expired certificates or mismatched common name fields. * TLS-SRP provides mutual authentication (the client and server both authenticate each other), while TLS with server certificates only authenticates the server to the client. Client certificates can authenticate the client to the server, but it may be easier for a user to remember a password than to install a certificate.

Implementations

TLS-SRP is implemented in

GnuTLS GnuTLS (, the GNU Transport Layer Security Library) is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network tra ...

, OpenSSL as of release 1.0.1, Apache mod_gnutls and mod_ssl,

cURL cURL (pronounced like "curl", UK: , US: ) is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various network protocols. The name stands for "Client URL". History cURL was fir ...

, TLS Lite SecureBlackbox and

wolfSSL wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS (SSL 3.0, TLS 1.0, 1.1, 1.2, 1.3, and DTLS 1.0, 1.2, and 1.3) written in the C programming langu ...

Standards

RFC 2945: “The SRP Authentication and Key Exchange System”.

RFC 5054: “Using the Secure Remote Password (SRP) Protocol for TLS Authentication”.

References

{{Reflist Transport Layer Security

Implementations

Standards

See also

References