Timeline for Challenging challenge: client-side password hashing and server-side password verification
Current License: CC BY-SA 3.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 5, 2014 at 13:39 | comment | added | simbo1905 | This has been done by done with [Ruslan Zavacky's spr-6a-demo][1] which uses PHP on the server and runs the SRP serverside algorithm in PHP. [1]: github.com/RuslanZavacky/srp-6a-demo | |
| Jul 14, 2012 at 11:07 | comment | added | Jason Smith | Sorry for the sloppy wording. Let me rephrase that: SRP looks like the perfect solution for the challenge-response problem, but still requires client-side password hashing. Thus I still have the dilemma of choosing between less hashing rounds client-side, or skip the challenge/response and do all hashing rounds server-side. | |
| Jul 13, 2012 at 17:31 | comment | added | Jason Smith | I studied the protocol. Am I right that one still needs to calculate the PBKDF2 client-side? If so, using SRP only helps the challenge-response, but does nothing to improve the key stretching. | |
| Jul 12, 2012 at 22:04 | comment | added | Jason Smith | Thanks for the suggestion. This looks indeed useful. Unfortunately, I was only able to find two Javascript implementations (srp-js, which appears to be abandoned/incomplete), and Clipperz (which is bulky and requires a 430 KB Javascript download each time a user tries to log in). Native support by the major browsers is currently limited to Firefox. I read this Nonetheless does this seem the way to go. I keep looking for a lightweight SRP implementation in Javascript + PHP. | |
| Jul 12, 2012 at 20:16 | history | answered | broadway | CC BY-SA 3.0 |