[2] This means that an attacker who steals the server data cannot masquerade as the client unless they first perform a brute force search for the password.
This means that the server also authenticates itself to the client which prevents phishing without reliance on the user parsing complex URLs.
[5] The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not require a trusted third party.
The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie–Hellman key exchange based on the client side having the user password and the server side having a cryptographic verifier derived from the password.
SRP version 6a is also used for strong password authentication in SSL/TLS[6] (in TLS-SRP) and other standards such as EAP[7] and SAML, and is part of IEEE 1363.2 and ISO/IEC 11770-4.
First, to establish a password p with server Steve, client Carol picks a random salt s, and computes x = H(s, p), v = gx.
Note that the salt s is shared and exchanged to negotiate a session key later so the value could be chosen by either side but is done by Carol so that she can register I, s and v in a single registration request.
This attack would not be possible had Steve waited for Carol to prove she was able to compute the correct key before sending an encrypted message.
In 2021 Daniel De Almeida Braga, Pierre-Alain Fouque and Mohamed Sabt published PARASITE,[10] a paper in which they demonstrate practical exploitation of a timing attack over the network.
[15] SRP-6a is found in standards as: IEEE 1363.2 also includes a description of "SRP5", a variant replacing the discrete logarithm with an elliptic curve contributed by Yongge Wang in 2001.