Subject SRP Performance
Author Jim Starkey
I did an implementation of the Secure Remote Password (SRP-6)
computations using the TomLibCrypt multi-precision arithmetic library.
The server side computation of the RFC test vectors takes around 1.3
milliseconds on a 64 bit gcc Linux box compiled for release to about 9.6
milliseconds on 32 bit Visual Studio compiled for debug. It is likely
to be substantially faster using the Gnu GMP library (p-i-t-a
portability issues, however).

The implementation uses three primary classes:

* RemoteGroup to hold a chosen prime and generator
* RemotePassword to do client and server side computations
* BigNumber C++ wrapper around the multiple-precision arithmetic library
* An accessor Transform for BigNumber

RemotePassword.cpp is less than 200 lines counting both the RFC 5054
test vectors and my ordinary lavish comments.

The protocol requires a single exchange for the client and server to
compute a session key, which, if client has the password and the server
a pre-computed password verifier, will be the same. The RFC calls for
an unspecified mechanism for the client and server to verify that the
keys match, though if the subsequent messages are encrypted with the
resulting key, probably isn't necessary if an invalid message can be
reliably and conveniently detected.

--
Jim Starkey
Founder, NimbusDB, Inc.
978 526-1376



[Non-text portions of this message have been removed]