Crate srp

source · []
Expand description

RustCrypto: SRP

crate Docs Apache2/MIT licensed Rust Version Project Chat Build Status

Pure Rust implementation of the Secure Remote Password password-authenticated key-exchange algorithm.



This implementation is generic over hash functions using the Digest trait, so you will need to choose a hash function, e.g. Sha256 from sha2 crate.

Additionally this crate allows to use a specialized password hashing algorithm for private key computation instead of method described in the SRP literature.

Compatibility with other implementations has not yet been tested.

⚠️ Security Warning

This crate has never received an independent third party audit for security and correctness.


Minimum Supported Rust Version

Rust 1.56 or higher.

Minimum supported Rust version can be changed in the future, but it will be done with a minor version bump.


Licensed under either of:

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.


Add srp dependency to your Cargo.toml:

srp = "0.6"

Next read documentation for client and server modules.

Algorithm description

Here we briefly describe implemented algorithm. For additional information refer to SRP literature. All arithmetic is done modulo N, where N is a large safe prime (N = 2q+1, where q is prime). Additionally g MUST be a generator modulo N. It’s STRONGLY recommended to use SRP parameters provided by this crate in the groups module.

ClientData transferServer
a_pub = g^aa_pub, I —>(lookup s, v for given I)
x = PH(P, s)<— b_pub, sb_pub = k*v + g^b
u = H(a_pub ‖ b_pub)u = H(a_pub ‖ b_pub)
s = (b_pub - k*g^x)^(a+u*x)S = (b_pub - k*g^x)^(a+u*x)
K = H(s)K = H(s)
M1 = H(A ‖ B ‖ K)M1 —>(verify M1)
(verify M2)<— M2M2 = H(A ‖ M1 ‖ K)

Variables and notations have the following meaning:

  • I — user identity (username)
  • P — user password
  • H — one-way hash function
  • PH — password hashing algroithm, in the RFC 5054 described as H(s ‖ H(I ‖ ":" ‖ P))
  • ^ — (modular) exponentiation
  • — concatenation
  • x — user private key
  • s — salt generated by user and stored on the server
  • v — password verifier equal to g^x and stored on the server
  • a, b — secret ephemeral values (at least 256 bits in length)
  • A, B — Public ephemeral values
  • u — scrambling parameter
  • k — multiplier parameter (k = H(N || g) in SRP-6a)


SRP client implementation.

Groups from RFC 5054

SRP server implementation

Additional SRP types.