Hacker News new | past | comments | ask | show | jobs | submit login

> What we needed, in this case, is a strong Zero-knowledge proof (without transferring password) system that does mutual authentication on the client & server.

I've not heard of SRP before, but it seems like it's trying to solve an already solved problem, and in a seemingly more complicated manner. The W3C's Web Authentication spec[1,2], on the other hand, looks very promising, and I'm hoping all browser vendors will get behind it once it's finished.

[1] https://webauthn.io

[2] https://www.w3.org/TR/webauthn-1/

SRP is a remote password protocol. WebAuthN is for public key-based credentials in web apps... so not really related?

SRP is a "perfect" remote password protocol: it reveals no information about your password, not even a salted secure hash of it, which could be brute forced or cracked. The only information that is gained by the server is whether the client has entered the correct password or not. It's somewhat surprising that this good of a password protocol even exists. There are others with similar properties, but it still surprises me.

The main reason I suspect that SRP didn't become widely used much earlier is that it was originally patented. The patent appears to have expired in 2015, so it seems like one can use the protocol for free now. The text on the Stanford SRP page [1] reads as though it was always designed to be open and freely usable, but that's not my recollection from reading about it years ago. I recall reading about the protocol (maybe 15-20 years ago), getting really excited and then getting to the part where it was patented and getting equally disappointed.

[1] http://srp.stanford.edu/whatisit.html

> I've not heard of SRP before, but it seems like it's trying to solve an already solved problem ...

SRP came out in 2000:

* https://tools.ietf.org/html/rfc2945

* https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...

It's WebAuthN that's the Johnny-come-lately to the auth world.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact