While this is interesting historical reading, SRP is badly outdated and should not be used for any newly built systems. It has a lot of non-obvious failure modes around parameter handling and offline password cracking that have broken the authentication mechanism in every implementation I've seen in the real world (new implementations, not when using large packages such as OpenSSL).
Furthermore, PAKEs are of relatively limited utility; in almost every situation you could use a PAKE, there is a better, more battle-tested alternative. You will be much less likely to have complete authentication bypass in your system if you use mutual TLS rather than a PAKE.
If you have to use a PAKE, use a reviewed implementation of SPAKE2. Oh wait, there aren't any. Don't use a PAKE.
A nit: even compared to some recent designs, SRP is pretty thoughtful about offline password cracking. It's not as expensive to crack as a real password hash, but far more expensive than other PAKEs.
I haven't read enough about the other PAKEs to know what offline attacks look like there, but the fact that they are endemic to PAKEs is a total footgun.
For example, one implementation of SRP I looked at used 8-digit codes (e.g. 12345678) to connect new devices to a network. Eight digits was enough to prevent brute-forcing by repeatedly sending codes to the server, but not enough to prevent an attacker from MITMing the connection and brute-forcing the code offline, because the server was using a bad RNG.
Wait, what's the brute-force attack you're contemplating here? I'm thinking of the attack where you've compromised the servers and stolen the verifiers.
Looking back at my notes, I think my earlier comment was misleading. The offline brute force was due to an insecure random number generator, which allowed an attack against B to recover b (and from there crack the 8 digit code). So, uh, ... I'm wrong on the internet. I think we've talked about this attack before actually :P
SRP completely prevents passive MITM attacks and requires online active attack (real time impersonation of either or both parties during the handshake), and even then you can't do anything if the real server and client impose their own rate limiting
I admittedly don't know enough about the underlying cryptography to have an educated opinion, but it seems like they put some due diligence into determining it still provided value.
1Password uses TLS, and SRP inside TLS. If TLS is broken as in Cloudbleed, SRP hopefully still protects the channel - at least against non-active attacks such as Cloudbleed. The security still ultimately relies on TLS. Having not read the document fully, I think those would be against initial registration or in an active MITM allowing password-guessing. I'm looking at page 52 of https://1password.com/teams/white-paper/1Password%20for%20Te....
This sounds like ephemeral diffie hellman. Is that still protected by patents? I wouldn't think so seeing we've had robust implementations in openssl for a long time now.
> The Secure Remote Password protocol (SRP) is an augmented password-authenticated key agreement (PAKE) protocol, specifically designed to work around existing patents.[1]
They're related in that the derivation of session secrets is done through a simple modular exponentiation. Pretty much nothing else, from the generation of keypairs to the selection of groups to work in to the way parameters have to be checked, are the same.
Furthermore, PAKEs are of relatively limited utility; in almost every situation you could use a PAKE, there is a better, more battle-tested alternative. You will be much less likely to have complete authentication bypass in your system if you use mutual TLS rather than a PAKE.
If you have to use a PAKE, use a reviewed implementation of SPAKE2. Oh wait, there aren't any. Don't use a PAKE.