14.6.2. Configure Secure Remote Password (SRP) Protocol

To use Secure Remote Password (SRP) Protocol in your application, you first create an MBean which implements the SRPVerifierStore interface. Information about the implementation is provided in The SRPVerifierStore Implementation.

Procedure 14.5. Integrate the Existing Password Store

  1. Create the hashed password information store.

    If your passwords are already stored in an irreversible hashed form, you need to do this on a per-user basis.
    You can implement setUserVerifier(String, VerifierInfo) as a noOp method, or a method that throws an exception stating that the store is read-only.
  2. Create the SRPVerifierStore interface.

    Create a custom SRPVerifierStore interface implementation that can obtain the VerifierInfo from the store you created.
    The verifyUserChallenge(String, Object) can be used to integrate existing hardware token based schemes like SafeWord or Radius into the SRP algorithm. This interface method is called only when the client SRPLoginModule configuration specifies the hasAuxChallenge option.
  3. Create the JNDI MBean.

    Create a MBean that exposes the SRPVerifierStore interface available to JNDI, and exposes any configurable parameters required.
    The default org.jboss.security.srp.SRPVerifierStoreService allows you to implement this. You can also implement the MBean using a Java properties file implementation of SRPVerifierStore.
The SRPVerifierStore Implementation

The default implementation of the SRPVerifierStore interface is not recommended for production systems, becauase it requires all password hash information to be available as a file of serialized objects.

The SRPVerifierStore implementation provides access to the SRPVerifierStore.VerifierInfo object for a given username. The getUserVerifier(String) method is called by the SRPService at the start of a user SRP session to obtain the parameters needed by the SRP algorithm.

Elements of a VerifierInfo Object

The username or user ID used to authenticate
A one-way hash of the password the user enters as proof of identity. The org.jboss.security.Util class includes a calculateVerifier method which performs the password hashing algorithm. The output password takes the form H(salt | H(username | ':' | password)), where H is the SHA secure hash function as defined by RFC2945. The username is converted from a string to a byte[] using UTF-8 encoding.
A random number used to increase the difficulty of a brute force dictionary attack on the verifier password database in the event that the database is compromised. The value should be generated from a cryptographically strong random number algorithm when the user's existing clear-text password is hashed.
The SRP algorithm primitive generator. This can be a well known fixed parameter rather than a per-user setting. The org.jboss.security.srp.SRPConf utility class provides several settings for g, including a suitable default obtained via SRPConf.getDefaultParams().g().
The SRP algorithm safe-prime modulus. This can be a well-known fixed parameter rather than a per-user setting. The org.jboss.security.srp.SRPConf utility class provides several settings for N including a good default obtained via SRPConf.getDefaultParams().N().

Example 14.15. The SRPVerifierStore Interface

package org.jboss.security.srp;

import java.io.IOException;
import java.io.Serializable;
import java.security.KeyException;

public interface SRPVerifierStore
    public static class VerifierInfo implements Serializable

        public String username;

        public byte[] salt;
        public byte[] g;
        public byte[] N;

    public VerifierInfo getUserVerifier(String username)
        throws KeyException, IOException;

    public void setUserVerifier(String username, VerifierInfo info)
        throws IOException;

     public void verifyUserChallenge(String username, Object auxChallenge)
         throws SecurityException;