Secure Remote Password library for Go

go-srp

NOTE: This is a port of node-srp to Go. I recommend reading their README for general information about the use of SRP.

Installation

go get github.com/kong/go-srp

Usage

View GoDoc for full details

To use SRP, first decide on they parameters you will use. Both client and server must use the same set.

params := srp.GetParams(2048)

Account Creation

To create a new account, generate a verifier from the client, and store it on the server.

verifier := srp.ComputeVerifier(params, salt, identity, password)

Login

From the client... generate a new secret key, initialize the client, and compute A. Once you have A, you can send A to the server.

secret1 := srp.GenKey()
client := NewClient(params, salt, identity, secret, a)
srpA := client.computeA()

sendToServer(srpA)

From the server... generate another secret key, initialize the server, and compute B. Once you have B, you can send B to the client.

secret2 := srp.GenKey()
server := NewServer(params, verifier, secret2)
srpB := client.computeB()

sendToClient(srpB)

Once the client received B from the server, it can compute M1 based on A and B. Once you have M1, send M1 to the server.

client.setB(srpB)
srpM1 := client.ComputeM1()
sendM1ToServer(srpM1)

Once the server receives M1, it can verify that it is correct. If checkM1() returns an error, authentication failed. If it succeeds it should be sent to the client.

srpM2, err := server.checkM1(srpM1)

Once the client receives M2, it can verify that it is correct, and know that authentication was successful.

err = client.CheckM2(serverM2)

Now that both client and server have completed a successful authentication, they can both compute K independently. K can now be used as either a key to encrypt communication or as a session ID.

clientK := client.ComputeK()
serverK := server.ComputeK()

Running Tests

go test

Tests include vectors from RFC 5054, Appendix B.

Licence

MIT

Owner
Kong
The Cloud Connectivity Company. Community Driven & Enterprise Adopted.
Kong
Similar Resources

Validate the Strength of a Password in Go

Validate the Strength of a Password in Go

go-password-validator Simple password validator using raw entropy values. Hit the project with a star if you find it useful ⭐ Supported by Qvault This

Jan 6, 2023

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

Oct 14, 2022

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

Dec 10, 2022

Not Yet Another Password Manager written in Go using libsodium

secrets Secure and simple passwords manager written in Go. It aims to be NYAPM (Not Yet Another Password Manager), but tries to be different from othe

May 30, 2022

password manager using age for encryption

page ====== password manager using age (https://age-encryption.org/) for encryption. encrypted secrets are files in the $PAGE_SECRETS/ directory that

May 30, 2022

Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain.

Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain.

pinentry-touchid Custom GPG pinentry program for macOS that allows using Touch ID for fetching the password from the macOS keychain. Macbook Pro devic

Jan 1, 2023

A Go Module to interact with Passbolt, a Open source Password Manager for Teams

go-passbolt A Go Module to interact with Passbolt, a Open source Password Manager for Teams This Module tries to Support the Latest Passbolt Community

Oct 29, 2022

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded i

Dec 31, 2022

GoLang script that checks for password leaks by sending email address to the BreachDirectory API

GoLang script that checks for password leaks by sending email address to the BreachDirectory API

GoLang script that checks for password leaks by sending email address to the BreachDirectory API

Feb 17, 2022
Comments
  • About salt

    About salt

    Some programs return the salt after sending the login, not at the beginning. I suggest adding in the client.go

    func (c *SRPClient) SetSalt(salt, identity, password []byte) {
    	c.X = getx(c.Params, salt, identity, password) //Overwrite
    }
    
  • Fork

    Fork

    Hi. Thanks a lot for your implementation. It saved me hours. I just made a fork of it and made it compatible with Apple's CoreCrypto implementation or SRP. Just wanted to know if you are OK if I make it public under my username in Github? And also wanted to know if you will merge if I make a pull request of that or not. I think you won't because it is not compatible with node-srp anymore. Regards

  • Constant time compare would be safer

    Constant time compare would be safer

    https://github.com/Kong/go-srp/blob/master/server.go#L55 should probably use crypto/subtle's ConstantTimeCompare. I'm guessing leaking timing is not exploitable in most contexts but you never know.

  • panic: crypto: requested hash function #5 is unavailable

    panic: crypto: requested hash function #5 is unavailable

    I get the following error when I create a new Client

    panic: crypto: requested hash function #5 is unavailable
    
    goroutine 1 [running]:
    crypto.Hash.New(0x5, 0x0, 0x0)
            C:/Go/src/crypto/crypto.go:89 +0x117
    github.com/getinsomnia/go-srp.getMultiplier(0xc0420464a0, 0x20)
            C:/Drive/Programming/go/src/github.com/getinsomnia/go-srp/srp.go:93 +0x3a
    github.com/getinsomnia/go-srp.NewClient(0xc0420464a0, 0xc04204a180, 0x20, 0x20, 0xc042067f10, 0x9, 0x20, 0xc042067ef0, 0x8, 0x20, ...)
            C:/Drive/Programming/go/src/github.com/getinsomnia/go-srp/client.go:23 +0x47
    main.main()
    
Related tags
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Jan 6, 2023
:key: Idiotproof golang password validation library inspired by Python's passlib

passlib for go Python's passlib is quite an amazing library. I'm not sure there's a password library in existence with more thought put into it, or wi

Dec 30, 2022
A convenience library for generating, comparing and inspecting password hashes using the scrypt KDF in Go 🔑

simple-scrypt simple-scrypt provides a convenience wrapper around Go's existing scrypt package that makes it easier to securely derive strong keys ("h

Dec 22, 2022
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

Dec 28, 2022
A Go Library For Generating Random, Rule Based Passwords. Many Random, Much Secure.
A Go Library For Generating Random, Rule Based Passwords. Many Random, Much Secure.

Can Haz Password? A Go library for generating random, rule based passwords. Many random, much secure. Features Randomized password length (bounded). T

Dec 6, 2021
linenoise is a library that generates strings of random characters that can be used as reasonably secure passwords.

linenoise linenoise is a library that generates strings of random characters (herein called a "noise") that can be used as reasonably secure passwords

Dec 7, 2022
A light package for generating and comparing password hashing with argon2 in Go

argon2-hashing argon2-hashing provides a light wrapper around Go's argon2 package. Argon2 was the winner of the Password Hashing Competition that make

Sep 27, 2022
Argon2 password hashing package for go with constant time hash comparison

argon2pw Argon2 password hashing package with constant time hash comparison Preface: Argon2 was selected as the winner of the Password Hashing Competi

Sep 27, 2022
Password generator written in Go

go-generate-password Password generator written in Go. Use as a library or as a CLI. Usage CLI go-generate-password can be used on the cli, just insta

Dec 19, 2022