{"id":7752,"library":"srptools","title":"SRPTools","description":"SRPTools is a Python library designed for implementing Secure Remote Password (SRP) authentication, a robust password-authenticated key agreement protocol (PAKE). It provides tools for both client and server sides to perform secure password-based authentication and key exchange over an insecure network. The current version is 1.0.1, with an infrequent release cadence indicating a stable and mature codebase.","status":"active","version":"1.0.1","language":"en","source_language":"en","source_url":"https://github.com/idlesign/srptools","tags":["security","authentication","SRP","cryptography","protocol"],"install":[{"cmd":"pip install srptools","lang":"bash","label":"Install stable release"}],"dependencies":[{"reason":"Required only if using the command-line utility provided with srptools.","package":"click","optional":true}],"imports":[{"symbol":"SRPContext","correct":"from srptools import SRPContext"},{"symbol":"SRPClientSession","correct":"from srptools import SRPClientSession"},{"symbol":"SRPServerSession","correct":"from srptools import SRPServerSession"},{"note":"Contains basic constants for SRPContext agreement.","symbol":"constants","correct":"from srptools import constants"}],"quickstart":{"code":"from srptools import SRPContext, SRPServerSession, SRPClientSession\n\n# User credentials\nusername = 'alice'\npassword = 'password123'\n\n# Step 1: Server stores salt and verifier for a user\ncontext = SRPContext(username, password)\nsalt, verifier = context.create_salted_verification_key()\nprint(f\"Server stores -> Salt: {salt}, Verifier: {verifier}\")\n\n# --- Client side operations ---\nclient_session = SRPClientSession(context)\nclient_public_key = client_session.start_authentication()\nprint(f\"Client sends -> Public Key A: {client_public_key}\")\n\n# --- Server side operations ---\n# Server retrieves stored salt and verifier for the username\nserver_session = SRPServerSession(context, salt, verifier)\nserver_public_key = server_session.start_authentication(client_public_key)\nprint(f\"Server sends -> Public Key B: {server_public_key}\")\n\n# --- Client side operations (receives B from server) ---\nclient_key = client_session.process(server_public_key)\nprint(f\"Client computed -> Session Key K: {client_key}\")\nprint(f\"Client sends -> Proof M: {client_session.M}\")\n\n# --- Server side operations (receives Client Proof M from client) ---\nserver_key = server_session.process(client_session.M)\nprint(f\"Server computed -> Session Key K: {server_key}\")\n\n# Verify client proof on server\nif client_session.M == server_session.M:\n    print(\"Server: Client proof (M) matches. Authentication in progress.\")\n    # Verify session keys match\n    if client_session.K == server_session.K:\n        print(\"Server: Session keys (K) match. Authentication successful.\")\n    else:\n        print(\"Server Error: Session keys do not match.\")\nelse:\n    print(\"Server Error: Client proof (M) does not match.\")\n\n# Server sends its proof (HAMK) to the client\nprint(f\"Server sends -> Proof HAMK: {server_session.HAMK}\")\n\n# --- Client side operations (receives Server Proof HAMK from server) ---\nif client_session.verify_session(server_session.HAMK):\n    print(\"Client: Server proof (HAMK) verified. Mutual authentication complete.\")\nelse:\n    print(\"Client Error: Server proof (HAMK) verification failed.\")","lang":"python","description":"This quickstart demonstrates a full SRP-6a authentication flow between a client and a server using `srptools`. It covers the generation of salt and verifier, public key exchange, and session key derivation and verification. Remember to handle `SRPException` in a real application."},"warnings":[{"fix":"Always catch `srptools.SRPException` and stop the authentication process immediately if it occurs. Do not continue with further SRP steps.","message":"The `.process()` methods of `SRPClientSession` and `SRPServerSession` can raise `SRPException` under certain circumstances, indicating a failure in the SRP protocol flow (e.g., invalid public keys, incorrect proofs).","severity":"gotcha","affected_versions":"All versions"},{"fix":"Refer to RFC 2945 and RFC 5054 for standard SRP-6a specifications. Test interoperability thoroughly with the target client/server implementation. Consider using widely accepted groups (e.g., `constants.PRIME_1024`, `constants.PRIME_2048`) and hash functions (`constants.HASH_SHA256`).","message":"When interoperating with other SRP implementations (e.g., in other languages or libraries like `pysrp`), ensure that both sides use compatible SRP-6a parameters, hashing algorithms, and key derivation functions. Slight variations in implementation details can lead to authentication failures.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your application runs on Python 3 and review its compatibility. While `srptools` itself works on Python 3, surrounding codebase might not be maintained.","message":"Although `srptools` supports Python 2 and 3, Python 2 is end-of-life. Continued development on Python 2 compatible codebases may expose projects to security vulnerabilities or lack of support.","severity":"deprecated","affected_versions":"<= 1.0.1"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Review the order of operations in your SRP authentication flow. Ensure public keys are correctly generated, transmitted, and processed by the respective `start_authentication` and `process` methods. Check that context parameters (username, password, N, g, H) are identical on both client and server up to the point of key exchange.","cause":"The client or server exchanged an invalid public key (A or B), or a step in the protocol was out of order, leading to a cryptographic mismatch.","error":"srptools.SRPException: Invalid public key 'B'"},{"fix":"Double-check that the `salt` and `verifier` used by the server correctly correspond to the `username` and `password` used by the client. Ensure that the public keys `A` and `B` are transmitted without modification and that the `process()` methods are called with the correct counterparts. Any mismatch in shared secrets or parameters will cause key divergence.","cause":"The derived session keys (K) on the client and server sides do not match, indicating a failure in the key exchange or verification process. This could be due to incorrect input parameters (salt, verifier, public keys) or a tampered exchange.","error":"Authentication Failed: Session keys do not match."}]}