The library contains an implementation of the SRP6-a password authenticated key exchange protocol.

A SRP client provides what is called a SRP verifier to the server. This verifier is based on a password, but the password cannot be easily derived from the verifier (however brute force attacks are possible). Later, the client and server can perform an SRP exchange, which results in a shared secret key. This key can be used for mutual authentication and/or encryption.

SRP works in a discrete logarithm group. Special parameter sets for SRP6 are defined, denoted in the library as “modpsrpsize”, for example “modpsrp2048”.

Warning

While knowledge of the verifier does not easily allow an attacker to get the raw password, they could still use the verifier to impersonate the server to the client, so verifiers should be protected as carefully as a plaintext password would be.

``` import Botan.SRP6 import Botan.PubKey (DLGroup(..)) import Botan.Hash import Botan.MAC let group = MODP_SRP_4096 let hash = Cryptohash $ SHA2 SHA512 let user = "bob" let pass = "burger" -- Signup -- Client generates a salt and verifier, and sends them to a server (salt, verifier) <- generateSRP6ClientSecrets group hash user pass -- Authentication (client has requested a connection) -- Server looks up their verifier, generates a server key, and sends it back session <- newSRP6ServerSession serverKey <- generateSRP6ServerKey group hash session verifier -- Client receives server key, and generates a client key and (client) session key (clientKey, clientSessionKey) <- generateSRP6ClientKeys group hash user pass salt serverKey -- Server receives client key, and generates a matching (server) session key serverSessionKey <- generateSRP6SessionKey session clientKey -- At this point, clientSessionKey and serverSessionKey should be equal, -- but this should be confirmed by exchanging hash digest to check for integrity, -- or preferrably, an (h)mac digest to also include authentication and avoid impersonation. -- The client should send their hash / hmac first as the server shouldn't do -- anything with the session key until they finish verifying the client -- SEE: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Offline_bruteforce_attack_with_server-first_messaging_in_the_absence_of_key_verification -- We can handle this by having both the client and server calculate a mac auth -- code using the session key and user name. -- The client calculates and sends first Just clientAuth = mac (HMAC hash) clientSessionKey user -- The server receives the client auth, generates their own, and compares them Just serverAuth = mac (HMAC hash) serverSessionKey user serverAuth == clientAuth -- If it matches, the server then switches to encrypted mode using the session key -- and sends the server auth code to the client -- QUESTION, should the server send the server auth code before switching to encrypted, -- or should it send the server auth code as the first encrypted message? FIND OUT ```

Minus the explanations

``` import Botan.SRP6 import Botan.PubKey (DLGroup(..)) import Botan.Hash import Botan.MAC let group = MODP_SRP_4096 let hash = Cryptohash $ SHA2 SHA512 let user = "bob" let pass = "burger" (salt, verifier) <- generateSRP6ClientSecrets group hash user pass session <- newSRP6ServerSession serverKey <- generateSRP6ServerKey group hash session verifier (clientKey, clientSessionKey) <- generateSRP6ClientKeys group hash user pass salt serverKey serverSessionKey <- generateSRP6SessionKey session clientKey Just clientAuth = mac (HMAC hash) clientSessionKey user Just serverAuth = mac (HMAC hash) serverSessionKey user serverAuth == clientAuth ```