Nimbus SRP datasheet

Secure Remote Password (SPR) protocol

Nimbus SRP implements revision 6a of the Secure Remote Password protocol (2002). It provides:

  • Verifier generation
  • Client-side authentication
  • Server-side authentication

The default routines for computing the various protocol variables and messages comply with RFC 5054 (SRP for TLS), with the following exceptions / additions:

  • The computation of the password key 'x' is modified to omit the user identity 'I' in order to allow for server-side user identity renaming as well as authentication with multiple alternate identities.
  • Adds routines for computing the evidence messages 'M1' and 'M2', according to Tom Wu's paper "SRP-6: Improvements and refinements to the Secure Remote Password protocol", table 5, from 2002.

The library provides interfaces for plugging in custom routines for the password key 'x' as well as for the client and server evidence messages 'M1' and 'M2'.


  • Java 7+


The Nimbus SRP library comes with an open source Apache 2.0 licence.


The verifier generator supports the following configuration settings:

  • Preferred crypto parameters safe prime 'N' and generator 'g'.
  • Choice of hash algorithm.
  • Custom password key 'x' routine.

The client and server session classes support the following configuration settings:

  • Preferred crypto parameters safe prime 'N' and generator 'g'.
  • Choice of hash algorithm.
  • Configurable session timeouts.
  • Custom password key 'x' routine.
  • Custom routine for the 'u' hash of 'A' and 'B'.
  • Custom client evidence message 'M1' routine.
  • Custom server evidence message 'M2' routine.

Change log

version 1.0 (2011-10-31)

  • First release.

version 1.1 (2011-11-09)

  • Adds a convenient verifier 'v' generator class.
  • Adds interfaces to allow definition of custom routines for the password key 'x', the server evidence message 'M1' and the client evidence message 'M2'.

version 1.2 (2011-11-18)

  • Enables storage of arbitrary SRP-6a auth session attributes.
  • Adds session 'A', 'B', 'M1' and 'M2' getter methods.

version 1.3 (2011-11-28)

  • Adds command-line SRP-6a verifier generator, server and client.

version 1.4 (2012-07-30)

  • Removes unused lookUpHexAlphabet field and LOOKUPLENGTH constant.
  • Fixes SRP6Session.hasTimedOut() bug.

version 1.4.1 (2013-04-05)

  • Switches build to Apache Maven.
  • Publishes library to Maven Central.

version 1.5 (2014-06-10)

  • Adds interface for custom computeU routine.
  • Refactors BigInteger utility class.
  • Switches project license to Apache 2.0.

version 1.5.1 (2014-08-15)

  • Introduces stricter 'g' parameter checking.
  • Adds precomputed 1536 and 2048-bit 'N' parameters from RFC 5054, Appendix A.

version 1.5.2 (2014-12-22)

  • Adds missing URoutine support to client session (issue #9).
  • Fixes BigInteger to byte array conversion in SRP6VerifierGenerator (issue #10).

version 1.5.3 (2015-06-03)

  • Makes SRP6Session serialisable (issue #3).

version 2.0.0 (2016-10-27)

  • Consistent use of RFC2945 conversions between byte array and BigInteger (issues #11, #12, #13) by Jonathan Haas.
  • Changed method signature of getSessionKey (now two methods not one with a switch)
  • Depending on how you are generating your random salt, and whether it is an RFC2945 legal byte string, you may lock your users out upgrading from older version. It is best to assume all users will have to reset their verifier if upgrading from a previous version.

version 2.0.1 (2016-11-16)

  • Mitigates timing attacks to probe the existence of user identities on the server side. The attack could take advantage of the server code returning the "bad credentials" error at different times for the case when the user doesn't exist and for the case when the user exists but the password is invalid (issue #19).

version 2.0.2 (2017-04-22)

  • Fixes generation of the random private value to satisfy the length requirements defined in RFC 5054. The routine efficiency is improved (issue #20).