Make your own free website on Tripod.com

SRP Authenticated Sockets in Python

The latest release is SRPSocket version 1.1.

SRPSocket is a Python module that creates an authenticated socket. The socket is authenticated using the SRP (Secure Remote Password) protocol. That is, the server requires the client to supply a passphrase in order to create the socket. SRP is safe to use over the network. It resists offline dictionary attacks, man-in-the-middle attacks, allows both client and host authentication (to prevent host spoofing), creates a secure, shared session key as a side effect, and has several other nice properties.

Note that the term ``password'' may safely and usefully be replaced with the term ``passphrase'', as the latter are usually more secure (i.e. have more bits of entropy) and easier to remember.

The home page for SRP is http://srp.stanford.edu/.

This version uses SHA hashes. If your version of Python does not have SHA hashes, consider upgrading to the latest version of Python, or simply replace all references to "sha" with "md5".

SRP uses arithmetic in a prime field. The distribution comes with one preselected safe prime that is about 1024 bits long. Feel free to use others, but keep in mind that the client and the server must agree on the set of primes used.

To begin, create the passwd database with "python SRP.py" (see client.py). In this version, the passwd file is just in the local directory of the server, and no mode setting is done. You should set the modes on the passwd file so that it is not world readable (0600 for example), to prevent offline dictionary attacks. Note again that even if it is readable (like the standard /etc/passwd), use of long pass phrases instead of passwords can help tremendously.

$ python SRP.py
SRP> passwd mary
Enter new password for mary:
SRP> list
['mary']
SRP> save
SRP> quit
$

The SRPSocket distribution comes with a passwd file created in this way, for testing purposes. The passphrase for user ``mary'' is ``4 score and 7''.

To test SRPSocket, first run "python server.py". This creates a listener on local port 1234. Then (either locally or on a remote machine), run python and say:

>>> import SRPSocket
>>> sock, key = SRPSocket.SRPSocket(host, 1234, 'mary')

where host should be replaced with either "''" if the server is the local host, or the remote hostname in quotes if it is not. The client will ask for user mary's passphrase. Once entered, the authentication process will begin. With the default 1024-bit prime field, authentication can take several seconds on older hardware, but should be fairly quick on modern CPUs.

The socket is retured in the variable sock, and the variable key will contain a 160-bit shared secret key that may be used to encrypt the conversation on the socket.

Finally, remember that many breaches of security involve buggy software, such as servers susceptible to buffer overflow exploits that totally bypass any passphrase, secure or not. But SRP will at least stop you from sending passwords over the net in the clear!