DEV Community: MARUCIE The latest articles on DEV Community by MARUCIE (@marucie). https://dev.to/marucie https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3840012%2F08a8ca8c-606c-4c99-817a-01db0ca84306.png DEV Community: MARUCIE https://dev.to/marucie en The Password Manager That Talks to AI: Building an MCP Credential Gateway MARUCIE Mon, 23 Mar 2026 11:37:58 +0000 https://dev.to/marucie/the-password-manager-that-talks-to-ai-building-an-mcp-credential-gateway-2l1c https://dev.to/marucie/the-password-manager-that-talks-to-ai-building-an-mcp-credential-gateway-2l1c <blockquote> <p>Your AI agent needs 50 API keys. You have 50 <code>.env</code> files. Something has to give.</p> </blockquote> <h2> The Problem Nobody Talks About </h2> <p>Every developer building with AI agents hits the same wall. Your agent needs to call the OpenAI API. Then Stripe. Then AWS. Then GitHub. Before you know it, you are managing 50+ API keys across a dozen projects, scattered in plaintext <code>.env</code> files, pasted into chat windows, or hardcoded into config objects you swear you will clean up later.</p> <p>This is not a minor inconvenience. It is an architectural failure mode:</p> <ul> <li> <strong>Plaintext secrets in <code>.env</code> files</strong> get committed to git, leaked in screenshots, and copied across machines without audit trails.</li> <li> <strong>No revocation granularity.</strong> When an agent misbehaves, you revoke the key manually -- which breaks every other agent using the same key.</li> <li> <strong>No policy enforcement.</strong> Nothing prevents your coding assistant from making a $500 API call at 3 AM because it decided to "try something."</li> <li> <strong>No audit trail.</strong> When something goes wrong, you have no idea which agent accessed which credential, when, or why.</li> </ul> <p>We built <a href="https://github.com/MARUCIE/authbox" rel="noopener noreferrer">Auth Box</a> to solve this. It is a zero-knowledge password manager -- like 1Password, but with a seed phrase instead of a master account, and a built-in MCP server that gives AI agents controlled, auditable access to credentials.</p> <h2> What is MCP? </h2> <p><a href="https://modelcontextprotocol.io/" rel="noopener noreferrer">Model Context Protocol</a> (MCP) is Anthropic's open standard for connecting AI models to external tools and data sources. Think of it as USB-C for AI integrations: a single protocol that any AI assistant can use to interact with any external system.</p> <p>An MCP server exposes <strong>tools</strong> -- structured function calls that an AI model can invoke. The model sees a tool's name, description, and input schema, then decides when and how to call it. The key insight is that the model never sees the implementation details. It just knows "I can call <code>get_credential</code> to get an API key."</p> <p>Auth Box implements an MCP server that exposes three tools:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>get_credential</code></td> <td>Retrieve a credential from the vault, filtered by policy</td> </tr> <tr> <td><code>proxy_authenticated_request</code></td> <td>Make an HTTP request with credentials injected server-side</td> </tr> <tr> <td><code>list_available_services</code></td> <td>Discover what credentials are available</td> </tr> </tbody> </table></div> <p>The critical one is <code>proxy_authenticated_request</code>. Instead of handing raw API keys to the agent, Auth Box injects the credential into the HTTP request on the server side. The agent says "call the OpenAI API with this prompt" -- it never sees the key itself.</p> <h2> Architecture: How the Gateway Works </h2> <p>The MCP gateway lives in the <code>@authbox/mcp-protocol</code> package and runs as a WebSocket server. Here is the full flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AI Agent (Claude, GPT, etc.) | | WebSocket + delegation key v ┌─────────────────────────────────────┐ │ AuthBoxMCPServer (ws://port:19876) │ │ │ │ 1. Authenticate (verify API key) │ │ 2. Load agent policies │ │ 3. Evaluate PolicyEngine │ │ 4. Execute tool (or deny) │ │ 5. Log audit event (hash-chain) │ └─────────────────┬───────────────────┘ | v ┌─────────────────────────────────────┐ │ VaultBridge (client-side decrypt) │ │ - getCredential() │ │ - proxyRequest() │ │ - logAudit() │ └─────────────────────────────────────┘ </code></pre> </div> <p>The server speaks JSON-RPC 2.0 over WebSocket, implementing the MCP <code>initialize</code>, <code>tools/list</code>, and <code>tools/call</code> methods. Let me walk through each layer.</p> <h3> 1. Per-Agent Delegation Keys (HD Derivation) </h3> <p>Auth Box uses a BIP-39 seed phrase (24 words) as the sole recovery mechanism. From this seed, all keys are derived deterministically using HD (Hierarchical Deterministic) derivation -- the same proven model Bitcoin wallets use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>seed phrase (24 words) -&gt; master key (PBKDF2-HMAC-SHA512) -&gt; m/auth_box'/vault'/0' -&gt; vault encryption key -&gt; m/auth_box'/sync'/0' -&gt; sync encryption key -&gt; m/auth_box'/agent'/0' -&gt; agent delegation root -&gt; m/auth_box'/agent'/&lt;n&gt;' -&gt; per-agent sub-key (revocable) </code></pre> </div> <p>Each AI agent gets its own derived key at index <code>&lt;n&gt;</code>. Revoking one agent's access does not affect any other agent -- you just invalidate that specific derivation index. No shared secrets, no blast radius.</p> <h3> 2. The Policy Engine </h3> <p>Every tool call passes through the <code>PolicyEngine</code> before execution. Policies are stacked by priority and evaluated in order. All policies must pass for the request to succeed.</p> <p>Five policy types are supported:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Policy types evaluated on every credential access</span> <span class="kr">enum</span> <span class="nx">PolicyType</span> <span class="p">{</span> <span class="nx">ItemScope</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">item_scope</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// WHICH credentials the agent can access</span> <span class="nx">ActionPermission</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">action_perm</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// WHAT it can do (read, use, proxy)</span> <span class="nx">RateLimit</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">rate_limit</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// HOW OFTEN (e.g., 100 requests per 300s)</span> <span class="nx">TimeWindow</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">time_window</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// WHEN (e.g., weekdays 9AM-6PM only)</span> <span class="nx">StepUp</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">step_up</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// REQUIRE human approval for sensitive ops</span> <span class="p">}</span> </code></pre> </div> <p>A real-world policy configuration might look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Allow the coding assistant to read LLM keys, but not payment credentials.</span> <span class="c1">// Rate limit to 100 requests per 5 minutes. Require approval for proxy requests.</span> <span class="kd">const</span> <span class="nx">policies</span><span class="p">:</span> <span class="nx">AgentPolicy</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">scope-llm-only</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">claude-coding-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">policyType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">item_scope</span><span class="dl">'</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">{</span> <span class="na">allowedItemTypes</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">api_key</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">action-read-only</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">claude-coding-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">policyType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">action_perm</span><span class="dl">'</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">{</span> <span class="na">allowedActions</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">read</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">proxy</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">90</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rate-limit-100</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">claude-coding-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">policyType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rate_limit</span><span class="dl">'</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">{</span> <span class="na">maxRequests</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">windowSeconds</span><span class="p">:</span> <span class="mi">300</span> <span class="p">},</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">business-hours</span><span class="dl">'</span><span class="p">,</span> <span class="na">agentId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">claude-coding-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">policyType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">time_window</span><span class="dl">'</span><span class="p">,</span> <span class="na">rules</span><span class="p">:</span> <span class="p">{</span> <span class="na">allowedHours</span><span class="p">:</span> <span class="p">{</span> <span class="na">start</span><span class="p">:</span> <span class="mi">9</span><span class="p">,</span> <span class="na">end</span><span class="p">:</span> <span class="mi">18</span> <span class="p">},</span> <span class="na">allowedDays</span><span class="p">:</span> <span class="p">[</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">5</span><span class="p">],</span> <span class="c1">// Mon-Fri</span> <span class="p">},</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">70</span><span class="p">,</span> <span class="na">enabled</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">];</span> </code></pre> </div> <h3> 3. Step-Up Approval </h3> <p>For sensitive operations, the <code>step_up</code> policy type pauses execution and sends a notification to the user (via the browser extension or desktop app). The agent's request blocks until the human approves or denies it, with a configurable timeout (default: 60 seconds).</p> <p>This is the "are you sure?" dialog for AI agents -- except it is enforced at the protocol level, not the UI level. The agent cannot bypass it.</p> <h3> 4. Audit Trail with Hash-Chain Integrity </h3> <p>Every credential access -- allowed or denied -- generates a structured audit event:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">AuditEvent</span> <span class="p">{</span> <span class="nl">actorType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">agent</span><span class="dl">'</span><span class="p">;</span> <span class="nl">actorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// which agent</span> <span class="nl">userId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// which user's vault</span> <span class="nl">action</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// get_credential, proxy_request, list_services</span> <span class="nl">resourceType</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// credential</span> <span class="nl">resourceId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// service name</span> <span class="nl">decision</span><span class="p">:</span> <span class="dl">'</span><span class="s1">allowed</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">denied</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">reason</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// why the decision was made</span> <span class="nl">policies</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="c1">// which policies were evaluated</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Events are chained with hash-chain integrity -- each event includes the hash of the previous event, making retroactive tampering detectable. If someone modifies an old audit record, every subsequent hash breaks.</p> <h2> The AI Infrastructure Hub </h2> <p>Managing credentials for AI agents is not just about security -- it is also about operational sanity. Auth Box includes a dedicated AI Infrastructure Hub that handles the lifecycle of API keys for 70+ providers:</p> <p><strong>Drag-and-drop <code>.env</code> import.</strong> Drop a <code>.env</code> file into the hub and Auth Box auto-classifies each key by provider (OpenAI, Anthropic, AWS, Stripe, etc.) using pattern matching on key prefixes and known formats.</p> <p><strong>One-click health checks.</strong> For supported providers, Auth Box can verify that a key is still valid by making a minimal API call (e.g., listing models for OpenAI, describing regions for AWS). No more deploying to production only to discover your key expired last Tuesday.</p> <p><strong>Categorized view.</strong> Keys are organized by category -- LLM, Cloud, Payment, Analytics, Communication -- so you can see your entire AI infrastructure at a glance instead of grepping through 30 <code>.env</code> files.</p> <h2> Code Example: Connecting an Agent </h2> <p>Here is how an AI agent connects to Auth Box and retrieves a credential:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">WebSocket</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ws</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ws</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebSocket</span><span class="p">(</span><span class="dl">'</span><span class="s1">ws://localhost:19876?api_key=YOUR_DELEGATION_KEY</span><span class="dl">'</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">open</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// 1. Initialize the MCP session</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">initialize</span><span class="dl">'</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">protocolVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2024-11-05</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-agent</span><span class="dl">'</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}));</span> <span class="c1">// 2. List available tools</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tools/list</span><span class="dl">'</span><span class="p">,</span> <span class="p">}));</span> <span class="c1">// 3. Retrieve a credential (policy-gated)</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tools/call</span><span class="dl">'</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">get_credential</span><span class="dl">'</span><span class="p">,</span> <span class="na">arguments</span><span class="p">:</span> <span class="p">{</span> <span class="na">service_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OpenAI</span><span class="dl">'</span><span class="p">,</span> <span class="na">fields</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">api_key</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}));</span> <span class="c1">// 4. Or better: proxy a request (agent never sees the key)</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">jsonrpc</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="mi">4</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tools/call</span><span class="dl">'</span><span class="p">,</span> <span class="na">params</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">proxy_authenticated_request</span><span class="dl">'</span><span class="p">,</span> <span class="na">arguments</span><span class="p">:</span> <span class="p">{</span> <span class="na">service_name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">OpenAI</span><span class="dl">'</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="dl">'</span><span class="s1">https://api.openai.com/v1/chat/completions</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">'</span><span class="s1">gpt-4o</span><span class="dl">'</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello</span><span class="dl">'</span> <span class="p">}],</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}));</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Response:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>The <code>proxy_authenticated_request</code> tool is the preferred pattern. The agent describes what it wants to do ("POST to the OpenAI completions endpoint with this payload"), and Auth Box handles authentication. The API key never appears in the agent's context window, which eliminates an entire class of prompt injection attacks where a malicious prompt tricks the agent into leaking its credentials.</p> <h2> Why This Matters </h2> <p>The current state of agent credential management is where web authentication was in 2005 -- passwords in plaintext databases, no OAuth, no token rotation, no audit trails. We are building increasingly autonomous systems and handing them the keys to our infrastructure with zero access control.</p> <p>Auth Box takes a different position: <strong>agent credentials, not agent chaos.</strong></p> <ul> <li> <strong>Zero-knowledge.</strong> The server stores only encrypted blobs. It cannot decrypt your vault, your credentials, or your agent keys.</li> <li> <strong>Survivable.</strong> Auth Box uses a 24-word seed phrase. If we disappear tomorrow, your credentials still work. No vendor lock-in.</li> <li> <strong>Granular delegation.</strong> Each agent gets its own derived key with its own policy set. Revoke one without touching the others.</li> <li> <strong>Auditable.</strong> Every access decision is logged with hash-chain integrity. When your agent does something unexpected at 3 AM, you can trace exactly what happened.</li> <li> <strong>MCP-native.</strong> Any AI assistant that speaks MCP can connect. Claude, GPT, Gemini, or your custom agent -- one protocol, one gateway.</li> </ul> <h2> Try It Yourself </h2> <p>Auth Box is open source (MIT).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/MARUCIE/authbox.git <span class="nb">cd </span>authbox pnpm <span class="nb">install </span>make dev-full <span class="c"># Starts Postgres + Redis + API + Web</span> </code></pre> </div> <ul> <li>Web app: <code>http://localhost:3010</code> </li> <li>MCP server: <code>ws://localhost:19876</code> </li> <li>API: <code>http://localhost:4010</code> </li> </ul> <p>The MCP gateway package is at <code>packages/mcp-protocol/</code>. The policy engine, tool definitions, and WebSocket server are each under 300 lines. Read the source -- there is no magic, just careful engineering.</p> <p>GitHub: <a href="https://github.com/MARUCIE/authbox" rel="noopener noreferrer">github.com/MARUCIE/authbox</a></p> <p>Maurice | <a href="mailto:maurice_wen@proton.me">maurice_wen@proton.me</a></p> agents ai mcp security You Trust Your Crypto to 24 Words. Why Not Your Passwords? MARUCIE Mon, 23 Mar 2026 11:34:06 +0000 https://dev.to/marucie/you-trust-your-crypto-to-24-words-why-not-your-passwords-5dch https://dev.to/marucie/you-trust-your-crypto-to-24-words-why-not-your-passwords-5dch <blockquote> <p>Your Bitcoin wallet can survive the apocalypse. Your 1Password vault cannot. Here is how to fix that.</p> </blockquote> <h2> The Vendor Lock-In Nobody Talks About </h2> <p>You have a 1Password vault with 400 entries. Or maybe a Bitwarden export sitting in a JSON file somewhere. Either way, you are one corporate bankruptcy away from losing access to your entire digital life.</p> <p>This is not hypothetical. LastPass was breached in 2022, and millions of encrypted vaults were exfiltrated. The company still exists, but the trust is gone. Now consider: what if they had shut down instead? Those vaults are encrypted with keys derived from your master password -- but the derivation parameters, the encryption format, the vault structure? All proprietary. All dependent on LastPass code existing somewhere.</p> <p>The password manager industry has a dirty secret: <strong>your vault is only as durable as the company that made it.</strong> The encryption is solid, but the <em>format</em> is a single point of failure.</p> <p>Meanwhile, Bitcoin holders sleep soundly knowing that their entire fortune lives in 24 words, and any BIP-39-compatible wallet -- from any vendor, written in any language, on any device -- can restore it.</p> <p>Why don't password managers work the same way?</p> <h2> How Bitcoin Solved This Problem in 2013 </h2> <p>BIP-39 (Bitcoin Improvement Proposal 39) introduced mnemonic seed phrases. The entire system is elegant in its simplicity:</p> <ol> <li>Generate 256 bits of entropy</li> <li>Map it to 24 human-readable words from a standardized 2048-word list</li> <li>Convert words back to a seed using PBKDF2-HMAC-SHA512</li> <li>Derive all keys deterministically from that seed</li> </ol> <p>The critical insight: <strong>the derivation is a pure function.</strong> Same input, same output, every time, on every device, with every implementation. No server. No account. No vendor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>abandon ability able about above absent absorb abstract absurd abuse access accident | v PBKDF2-HMAC-SHA512 (2048 iterations, salt = "mnemonic" + passphrase) | v 512-bit master seed | v HMAC-SHA512 with domain-specific keys | v m/44'/0'/0'/0/0 -&gt; Bitcoin address #1 m/44'/0'/0'/0/1 -&gt; Bitcoin address #2 m/44'/60'/0'/0/0 -&gt; Ethereum address #1 ... infinite deterministic derivation </code></pre> </div> <p>Twelve years later, every hardware wallet, software wallet, and exchange supports this standard. You can write your seed phrase on a steel plate, bury it, and recover your funds twenty years later with software that does not exist yet. That is the power of a deterministic, vendor-neutral standard.</p> <h2> Applying HD Key Derivation to Password Management </h2> <p><a href="https://github.com/MARUCIE/authbox" rel="noopener noreferrer">Auth Box</a> takes this exact model and applies it to passwords and credentials. The derivation tree looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>seed phrase (24 words, BIP-39) | v PBKDF2-HMAC-SHA512 (2048 rounds) | v master seed (512 bits) | v HMAC-SHA512("authbox seed", master_seed) | +-- m/ABX'/vault'/0' -&gt; vault encryption key (AES-256-GCM) +-- m/ABX'/sync'/0' -&gt; sync encryption key +-- m/ABX'/auth'/0' -&gt; authentication signing key (Ed25519) +-- m/ABX'/agent'/0' -&gt; agent delegation root key +-- m/ABX'/agent'/1' -&gt; per-agent sub-key (revocable) +-- m/ABX'/derive'/n' -&gt; deterministic password for site n </code></pre> </div> <p>Each branch serves a distinct purpose, and the hardened derivation (note the <code>'</code> apostrophes) ensures that compromising one branch cannot reveal any other. This is the same security property that prevents someone who knows your Bitcoin address from deriving your Ethereum keys.</p> <h3> The Implementation </h3> <p>The core is roughly 60 lines of TypeScript built on <code>@noble/hashes</code> (a well-audited, pure-JS crypto library):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// BIP-39 mnemonic -&gt; 512-bit seed</span> <span class="kd">function</span> <span class="nf">mnemonicToSeed</span><span class="p">(</span><span class="nx">mnemonic</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">passphrase</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">''</span><span class="p">):</span> <span class="nb">Uint8Array</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mnemonicBytes</span> <span class="o">=</span> <span class="nf">encode</span><span class="p">(</span><span class="nx">mnemonic</span><span class="p">.</span><span class="nf">normalize</span><span class="p">(</span><span class="dl">'</span><span class="s1">NFKD</span><span class="dl">'</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="nf">encode</span><span class="p">(</span><span class="dl">'</span><span class="s1">mnemonic</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">passphrase</span><span class="p">.</span><span class="nf">normalize</span><span class="p">(</span><span class="dl">'</span><span class="s1">NFKD</span><span class="dl">'</span><span class="p">));</span> <span class="k">return</span> <span class="nf">pbkdf2</span><span class="p">(</span><span class="nx">sha512</span><span class="p">,</span> <span class="nx">mnemonicBytes</span><span class="p">,</span> <span class="nx">salt</span><span class="p">,</span> <span class="p">{</span> <span class="na">c</span><span class="p">:</span> <span class="mi">2048</span><span class="p">,</span> <span class="na">dkLen</span><span class="p">:</span> <span class="mi">64</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// HD key derivation with Auth Box custom purpose</span> <span class="kd">function</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">seed</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">purpose</span><span class="p">:</span> <span class="nx">KeyPurpose</span><span class="p">,</span> <span class="nx">index</span><span class="p">:</span> <span class="kr">number</span> <span class="o">=</span> <span class="mi">0</span><span class="p">):</span> <span class="nb">Uint8Array</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">master</span> <span class="o">=</span> <span class="nf">masterKeyFromSeed</span><span class="p">(</span><span class="nx">seed</span><span class="p">);</span> <span class="c1">// HMAC-SHA512("authbox seed", seed)</span> <span class="kd">const</span> <span class="nx">purposeNode</span> <span class="o">=</span> <span class="nf">deriveHardenedChild</span><span class="p">(</span><span class="nx">master</span><span class="p">,</span> <span class="nx">AUTH_BOX_PURPOSE</span><span class="p">);</span> <span class="c1">// "ABX\0"</span> <span class="kd">const</span> <span class="nx">typeNode</span> <span class="o">=</span> <span class="nf">deriveHardenedChild</span><span class="p">(</span><span class="nx">purposeNode</span><span class="p">,</span> <span class="nx">purpose</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">leaf</span> <span class="o">=</span> <span class="nf">deriveHardenedChild</span><span class="p">(</span><span class="nx">typeNode</span><span class="p">,</span> <span class="nx">index</span><span class="p">);</span> <span class="k">return</span> <span class="nx">leaf</span><span class="p">.</span><span class="nx">key</span><span class="p">;</span> <span class="c1">// 32-byte derived key</span> <span class="p">}</span> </code></pre> </div> <p>The <code>AUTH_BOX_PURPOSE</code> constant (<code>0x41425800</code>, which is <code>"ABX\0"</code> as a uint32) acts as a namespace separator, ensuring Auth Box derivation paths never collide with Bitcoin (purpose <code>44'</code>) or Ethereum (purpose <code>60'</code>) even if derived from the same seed phrase.</p> <h3> Deterministic Passwords: The Radical Part </h3> <p>Here is where it gets interesting. Traditional password managers <em>store</em> your passwords. Auth Box can <em>derive</em> them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">derivePassword</span><span class="p">(</span><span class="nx">seed</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">site</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{}):</span> <span class="kr">string</span> <span class="p">{</span> <span class="c1">// 1. Hash the site name to get a deterministic index</span> <span class="kd">const</span> <span class="nx">siteHash</span> <span class="o">=</span> <span class="nf">sha256</span><span class="p">(</span><span class="nx">site</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">()</span> <span class="o">+</span> <span class="dl">'</span><span class="se">\</span><span class="s1">0</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">counter</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">siteIndex</span> <span class="o">=</span> <span class="nf">uint32</span><span class="p">(</span><span class="nx">siteHash</span><span class="p">);</span> <span class="c1">// 2. Derive site-specific key material via HD path</span> <span class="kd">const</span> <span class="nx">siteKey</span> <span class="o">=</span> <span class="nf">deriveKey</span><span class="p">(</span><span class="nx">seed</span><span class="p">,</span> <span class="nx">KeyPurpose</span><span class="p">.</span><span class="nx">DERIVE</span><span class="p">,</span> <span class="nx">siteIndex</span><span class="p">);</span> <span class="c1">// 3. Expand to password characters</span> <span class="kd">const</span> <span class="nx">expanded</span> <span class="o">=</span> <span class="nf">hmac</span><span class="p">(</span><span class="nx">sha512</span><span class="p">,</span> <span class="nx">siteKey</span><span class="p">,</span> <span class="dl">'</span><span class="s1">password:</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">site</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">:</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">counter</span><span class="p">);</span> <span class="c1">// 4. Map bytes to character set (a-z, A-Z, 0-9, symbols)</span> <span class="k">return</span> <span class="nf">mapToCharset</span><span class="p">(</span><span class="nx">expanded</span><span class="p">,</span> <span class="nx">charset</span><span class="p">,</span> <span class="nx">length</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The result: <code>derivePassword(seed, "github.com")</code> always produces the same 20-character password. No vault needed. No sync needed. No server needed. If you have your 24 words and you know the site name, you have the password.</p> <p>The <code>counter</code> parameter handles the inevitable "please change your password" scenario -- increment it from 0 to 1, and you get a completely different password for the same site.</p> <h2> The Unstoppable Promise </h2> <p>Auth Box makes a guarantee that no traditional password manager can:</p> <p><strong>Even if Auth Box ceases to exist -- the company, the servers, the code, the domain -- your 24 words will still recover every password.</strong></p> <p>This works across five degradation levels:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Level</th> <th>Scenario</th> <th>What Still Works</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>Everything online</td> <td>Full app: web UI, sync, AI gateway, audit</td> </tr> <tr> <td>1</td> <td>Servers go down</td> <td>Local vault + Chrome extension + deterministic passwords</td> </tr> <tr> <td>2</td> <td>Company disappears</td> <td>Arweave recovery: fetch encrypted blob, decrypt with seed</td> </tr> <tr> <td>3</td> <td>Device lost</td> <td>Seed phrase + Arweave = full restore on a new device</td> </tr> <tr> <td>4</td> <td>Everything gone</td> <td>Seed phrase alone = derive passwords with any HMAC calculator</td> </tr> </tbody> </table></div> <p>Level 4 is the nuclear option. No internet, no vault, no software. Just 24 words and the publicly documented derivation algorithm. A developer could reimplement the password derivation function in an afternoon using any language with HMAC-SHA512 support.</p> <h3> Arweave: Your Vault Outlives Your Vendor </h3> <p>For the full vault (not just derived passwords, but stored credentials, notes, API keys), Auth Box archives encrypted snapshots to Arweave -- a permanent, decentralized storage network. One-time payment of roughly $0.005/KB. No subscriptions. No renewals. The data persists for 200+ years by design.</p> <p>The encrypted blob on Arweave is useless without your seed phrase. Arweave nodes see only ciphertext. But with your 24 words, you derive the vault key, fetch the blob, decrypt locally, and recover everything.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Recovery flow: 24 words -&gt; derive vault_key (m/ABX'/vault'/0') -&gt; fetch encrypted blob from Arweave -&gt; AES-256-GCM decrypt locally -&gt; full vault restored </code></pre> </div> <h2> Auth Box vs. LessPass: Stateless Password Derivation Compared </h2> <p>LessPass pioneered stateless password derivation in 2016. Auth Box builds on that idea but extends it significantly:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>LessPass</th> <th>Auth Box</th> </tr> </thead> <tbody> <tr> <td>Stateless password derivation</td> <td>Yes (master password + site + username)</td> <td>Yes (seed phrase + site + counter)</td> </tr> <tr> <td>Recovery mechanism</td> <td>Remember master password</td> <td>24-word seed phrase (BIP-39 standard)</td> </tr> <tr> <td>Full vault storage</td> <td>No (stateless only)</td> <td>Yes (AES-256-GCM encrypted vault)</td> </tr> <tr> <td>Permanent backup</td> <td>No</td> <td>Arweave on-chain archive</td> </tr> <tr> <td>AI agent delegation</td> <td>No</td> <td>Per-agent derived keys with policy engine</td> </tr> <tr> <td>Key hierarchy</td> <td>Flat (single master password)</td> <td>HD tree (vault/sync/auth/agent/derive branches)</td> </tr> <tr> <td>Key revocation</td> <td>Change master password (changes everything)</td> <td>Revoke individual agent keys by index</td> </tr> <tr> <td>Import from other managers</td> <td>No</td> <td>13 sources (1Password, Chrome, Bitwarden, etc.)</td> </tr> <tr> <td>Open standard for derivation</td> <td>Custom (PBKDF2 + site params)</td> <td>BIP-39 + BIP-32-style HD derivation</td> </tr> </tbody> </table></div> <p>The key difference: LessPass is <em>only</em> stateless derivation. If a site requires you to store a note, an API key, or a TOTP secret, LessPass cannot help. Auth Box gives you both modes -- deterministic derivation for passwords, plus a full encrypted vault for everything else -- and both are recoverable from the same 24 words.</p> <h2> Try It Yourself </h2> <p>Auth Box is open source under the MIT license.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/MARUCIE/authbox.git <span class="nb">cd </span>authbox pnpm <span class="nb">install </span>make dev </code></pre> </div> <p>The web app starts at <code>http://localhost:3010</code>. Create a vault, write down your 24 words, and try the deterministic password derivation. Then delete the vault and restore it from the seed phrase. The passwords come back identical.</p> <p>The cryptographic core lives in <code>packages/crypto/src/seed.ts</code> -- about 340 lines of TypeScript with no dependencies beyond <code>@noble/hashes</code>. Read it. Audit it. Reimplement it in Rust or Go or Python. That is the whole point: the derivation algorithm is simple enough to verify, standard enough to reimplement, and deterministic enough to trust with your passwords.</p> <p><strong>Your crypto lives in 24 words. Your passwords should too.</strong></p> <p>GitHub: <a href="https://github.com/MARUCIE/authbox" rel="noopener noreferrer">https://github.com/MARUCIE/authbox</a></p> <p>Maurice | <a href="mailto:maurice_wen@proton.me">maurice_wen@proton.me</a></p> bitcoin discuss privacy security Your Password Never Leaves Your Device: Implementing SRP-6a in a Zero-Knowledge Password Manager MARUCIE Mon, 23 Mar 2026 11:32:47 +0000 https://dev.to/marucie/your-password-never-leaves-your-device-implementing-srp-6a-in-a-zero-knowledge-password-manager-2k4l https://dev.to/marucie/your-password-never-leaves-your-device-implementing-srp-6a-in-a-zero-knowledge-password-manager-2k4l <p>Every major password breach follows the same script: attackers compromise a server, dump the password database, and crack hashes offline. LinkedIn (2012, 117M SHA-1 hashes). LastPass (2022, encrypted vaults exfiltrated). The root cause is always the same -- the server had something worth stealing.</p> <p>What if the server never received the password at all?</p> <p>That is the premise behind <a href="https://github.com/MARUCIE/authbox" rel="noopener noreferrer">Auth Box</a>, an open-source zero-knowledge password manager. Its authentication layer uses SRP-6a (Secure Remote Password, revision 6a), a protocol where the client proves it knows the password without ever transmitting it. The server stores only a mathematical derivative called a <em>verifier</em> -- useless without the original password.</p> <p>This post walks through the actual implementation: TypeScript on the client, Go on the server, and the security decisions that matter.</p> <h2> Why Traditional Password Auth Is Broken </h2> <p>The standard model looks like this:</p> <ol> <li>User types password</li> <li>Client sends password (or its hash) to server over TLS</li> <li>Server hashes and compares against stored hash (bcrypt, argon2, etc.)</li> <li>Server returns a session token</li> </ol> <p>The problem is structural. The password -- or enough information to reconstruct it -- crosses the wire and exists in server memory, even if only for milliseconds. This creates attack surfaces at every layer:</p> <ul> <li> <strong>TLS termination</strong>: corporate proxies, CDN edge nodes, or compromised load balancers can intercept plaintext.</li> <li> <strong>Server-side logging</strong>: an accidental <code>console.log(req.body)</code> or a verbose WAF leaks credentials into log stores.</li> <li> <strong>Database breaches</strong>: even with argon2id, offline attackers can crack weak passwords given enough GPU time.</li> <li> <strong>Credential stuffing</strong>: once a password hash leaks from one service, it can be tested against every other service the user has an account with.</li> </ul> <p>SRP eliminates the first two entirely. The password never leaves the client. The server never sees it, not even transiently. For the third attack surface, even if the verifier database is stolen, an attacker cannot reverse it into the original password or use it to impersonate the client -- the verifier alone is not sufficient to complete authentication.</p> <h2> How SRP-6a Works </h2> <p>SRP (Secure Remote Password) was designed by Tom Wu at Stanford in 1998. Version 6a, specified in <a href="https://tools.ietf.org/html/rfc5054" rel="noopener noreferrer">RFC 5054</a>, fixes subtle vulnerabilities in earlier revisions. The key properties:</p> <ol> <li> <strong>Zero-knowledge</strong>: The server never learns the password. Not during registration, not during login, not ever.</li> <li> <strong>Mutual authentication</strong>: The client proves it knows the password, AND the server proves it has the correct verifier. A MITM server cannot fake the handshake.</li> <li> <strong>No password-equivalent stored on the server</strong>: The verifier <code>v</code> is a one-way derivation. Stealing it does not let an attacker log in.</li> <li> <strong>Resistance to offline dictionary attacks</strong>: An eavesdropper who captures the full handshake transcript cannot mount an offline attack without the verifier.</li> </ol> <p>The protocol works in two phases: <strong>registration</strong> and <strong>login</strong>.</p> <h3> Registration </h3> <p>The client computes a verifier from the password and sends it to the server. The password itself never crosses the wire.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>x = H(salt || H(email || ":" || password)) v = g^x mod N Client sends: (salt, v) to server Server stores: (salt, v) per user </code></pre> </div> <p>Here, <code>N</code> is a large safe prime and <code>g</code> is a generator of the multiplicative group modulo N. Auth Box uses the 2048-bit group from RFC 5054 (Group 14).</p> <h3> Login (the handshake) </h3> <p>This is a four-message exchange where both sides independently derive the same session key without revealing the password:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Step 1: Client generates ephemeral keypair a = random, A = g^a mod N Client sends: (email, A) to server Step 2: Server looks up (salt, v) for email b = random, B = k*v + g^b mod N Server sends: (salt, B) to client Step 3: Both sides compute the shared secret S Client: S = (B - k * g^x) ^ (a + u*x) mod N Server: S = (A * v^u) ^ b mod N Both derive: K = H(S) Step 4: Mutual proof Client sends: M1 = H(A || B || K) Server verifies M1, responds: M2 = H(A || M1 || K) Client verifies M2 </code></pre> </div> <p>The multiplier <code>k = H(N || PAD(g))</code> and scrambling parameter <code>u = H(PAD(A) || PAD(B))</code> are the "6a" additions that prevent two-for-one guessing attacks and other weaknesses in earlier SRP versions.</p> <h2> The Implementation </h2> <h3> Shared Constants: RFC 5054 Group Parameters </h3> <p>Both client and server must use identical group parameters. We use the 2048-bit prime from RFC 5054 Appendix A:</p> <p><strong>TypeScript (client):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// RFC 5054, 2048-bit group 14</span> <span class="kd">const</span> <span class="nx">N_HEX</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">AC6BDB41324A9A9BF166DE5E1389582FAF72B6651987EE07FC3192943DB56050</span><span class="dl">'</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">A37329CBB4A099ED8193E0757767A13DD52312AB4B03310DCD7F48A9DA04FD50</span><span class="dl">'</span> <span class="o">+</span> <span class="c1">// ... (256 bytes total)</span> <span class="dl">'</span><span class="s1">94B5C803D89F7AE435DE236D525F54759B65E372FCD68EF20FA7111F9E4AFF73</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">N</span> <span class="o">=</span> <span class="nc">BigInt</span><span class="p">(</span><span class="dl">'</span><span class="s1">0x</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">N_HEX</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">g</span> <span class="o">=</span> <span class="mi">2</span><span class="nx">n</span><span class="p">;</span> </code></pre> </div> <p><strong>Go (server):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">srpN</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">SetString</span><span class="p">(</span> <span class="s">"AC6BDB41324A9A9BF166DE5E1389582FAF72B6651987EE07FC3192943DB56050"</span><span class="o">+</span> <span class="c">// ... same 2048-bit prime</span> <span class="s">"94B5C803D89F7AE435DE236D525F54759B65E372FCD68EF20FA7111F9E4AFF73"</span><span class="p">,</span> <span class="m">16</span><span class="p">)</span> <span class="n">srpG</span> <span class="o">=</span> <span class="n">big</span><span class="o">.</span><span class="n">NewInt</span><span class="p">(</span><span class="m">2</span><span class="p">)</span> <span class="n">srpK</span> <span class="o">=</span> <span class="n">computeK</span><span class="p">(</span><span class="n">srpN</span><span class="p">,</span> <span class="n">srpG</span><span class="p">)</span> <span class="c">// k = H(N || PAD(g))</span> </code></pre> </div> <p>The <code>k</code> multiplier is precomputed at init time since N and g are fixed.</p> <h3> Client Side: TypeScript with Native BigInt </h3> <p>The client implementation lives in <code>@authbox/crypto</code> and uses <code>@noble/hashes</code> for SHA-256. No WebAssembly, no heavy dependencies -- just native BigInt arithmetic.</p> <p><strong>Modular exponentiation</strong> (the workhorse of SRP):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">modPow</span><span class="p">(</span><span class="nx">base</span><span class="p">:</span> <span class="nx">bigint</span><span class="p">,</span> <span class="nx">exp</span><span class="p">:</span> <span class="nx">bigint</span><span class="p">,</span> <span class="nx">mod</span><span class="p">:</span> <span class="nx">bigint</span><span class="p">):</span> <span class="nx">bigint</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="mi">1</span><span class="nx">n</span><span class="p">;</span> <span class="nx">base</span> <span class="o">=</span> <span class="p">((</span><span class="nx">base</span> <span class="o">%</span> <span class="nx">mod</span><span class="p">)</span> <span class="o">+</span> <span class="nx">mod</span><span class="p">)</span> <span class="o">%</span> <span class="nx">mod</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">exp</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="nx">n</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">exp</span> <span class="o">&amp;</span> <span class="mi">1</span><span class="nx">n</span><span class="p">)</span> <span class="p">{</span> <span class="nx">result</span> <span class="o">=</span> <span class="p">(</span><span class="nx">result</span> <span class="o">*</span> <span class="nx">base</span><span class="p">)</span> <span class="o">%</span> <span class="nx">mod</span><span class="p">;</span> <span class="p">}</span> <span class="nx">exp</span> <span class="o">&gt;&gt;=</span> <span class="mi">1</span><span class="nx">n</span><span class="p">;</span> <span class="nx">base</span> <span class="o">=</span> <span class="p">(</span><span class="nx">base</span> <span class="o">*</span> <span class="nx">base</span><span class="p">)</span> <span class="o">%</span> <span class="nx">mod</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Registration</strong> -- generate the verifier:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">srpGenerateVerifier</span><span class="p">(</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">salt</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">salt</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">;</span> <span class="nl">verifier</span><span class="p">:</span> <span class="nb">Uint8Array</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">x</span> <span class="o">=</span> <span class="nf">computeX</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">verifier</span> <span class="o">=</span> <span class="nf">modPow</span><span class="p">(</span><span class="nx">g</span><span class="p">,</span> <span class="nx">x</span><span class="p">,</span> <span class="nx">N</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">salt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">salt</span><span class="p">),</span> <span class="na">verifier</span><span class="p">:</span> <span class="nf">bigintToBytes</span><span class="p">(</span><span class="nx">verifier</span><span class="p">,</span> <span class="mi">256</span><span class="p">),</span> <span class="c1">// pad to N's byte length</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p><strong>Login step 1</strong> -- generate ephemeral keypair with safety check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">srpClientInit</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">SRPClientState</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="na">a</span><span class="p">:</span> <span class="nx">bigint</span><span class="p">;</span> <span class="kd">let</span> <span class="na">A</span><span class="p">:</span> <span class="nx">bigint</span><span class="p">;</span> <span class="k">do</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">aBytes</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">32</span><span class="p">));</span> <span class="nx">a</span> <span class="o">=</span> <span class="nf">bytesToBigint</span><span class="p">(</span><span class="nx">aBytes</span><span class="p">);</span> <span class="nx">A</span> <span class="o">=</span> <span class="nf">modPow</span><span class="p">(</span><span class="nx">g</span><span class="p">,</span> <span class="nx">a</span><span class="p">,</span> <span class="nx">N</span><span class="p">);</span> <span class="p">}</span> <span class="k">while </span><span class="p">(</span><span class="nx">A</span> <span class="o">===</span> <span class="mi">0</span><span class="nx">n</span><span class="p">);</span> <span class="c1">// SRP safety: A mod N must not be 0</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ephemeralSecret</span><span class="p">:</span> <span class="nf">bigintToBytes</span><span class="p">(</span><span class="nx">a</span><span class="p">,</span> <span class="mi">32</span><span class="p">),</span> <span class="na">ephemeralPublic</span><span class="p">:</span> <span class="nf">bigintToBytes</span><span class="p">(</span><span class="nx">A</span><span class="p">,</span> <span class="mi">256</span><span class="p">),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p><strong>Login step 2</strong> -- compute the proof:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">srpClientVerify</span><span class="p">(</span> <span class="nx">state</span><span class="p">:</span> <span class="nx">SRPClientState</span><span class="p">,</span> <span class="nx">email</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">password</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">salt</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="nx">serverPublicB</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">clientProof</span><span class="p">:</span> <span class="nb">Uint8Array</span><span class="p">;</span> <span class="nl">sessionKey</span><span class="p">:</span> <span class="nb">Uint8Array</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">a</span> <span class="o">=</span> <span class="nf">bytesToBigint</span><span class="p">(</span><span class="nx">state</span><span class="p">.</span><span class="nx">ephemeralSecret</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">A</span> <span class="o">=</span> <span class="nf">bytesToBigint</span><span class="p">(</span><span class="nx">state</span><span class="p">.</span><span class="nx">ephemeralPublic</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">B</span> <span class="o">=</span> <span class="nf">bytesToBigint</span><span class="p">(</span><span class="nx">serverPublicB</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">B</span> <span class="o">%</span> <span class="nx">N</span> <span class="o">===</span> <span class="mi">0</span><span class="nx">n</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">SRP: invalid server public key</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">u</span> <span class="o">=</span> <span class="nf">computeU</span><span class="p">(</span><span class="nx">A</span><span class="p">,</span> <span class="nx">B</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">u</span> <span class="o">===</span> <span class="mi">0</span><span class="nx">n</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">SRP: scrambling parameter u is zero</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">x</span> <span class="o">=</span> <span class="nf">computeX</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">k</span> <span class="o">=</span> <span class="nf">computeK</span><span class="p">();</span> <span class="c1">// S = (B - k * g^x) ^ (a + u*x) mod N</span> <span class="kd">const</span> <span class="nx">gx</span> <span class="o">=</span> <span class="nf">modPow</span><span class="p">(</span><span class="nx">g</span><span class="p">,</span> <span class="nx">x</span><span class="p">,</span> <span class="nx">N</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">kgx</span> <span class="o">=</span> <span class="p">(</span><span class="nx">k</span> <span class="o">*</span> <span class="nx">gx</span><span class="p">)</span> <span class="o">%</span> <span class="nx">N</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">base</span> <span class="o">=</span> <span class="p">((</span><span class="nx">B</span> <span class="o">-</span> <span class="nx">kgx</span><span class="p">)</span> <span class="o">%</span> <span class="nx">N</span> <span class="o">+</span> <span class="nx">N</span><span class="p">)</span> <span class="o">%</span> <span class="nx">N</span><span class="p">;</span> <span class="c1">// ensure non-negative</span> <span class="kd">const</span> <span class="nx">S</span> <span class="o">=</span> <span class="nf">modPow</span><span class="p">(</span><span class="nx">base</span><span class="p">,</span> <span class="nx">a</span> <span class="o">+</span> <span class="nx">u</span> <span class="o">*</span> <span class="nx">x</span><span class="p">,</span> <span class="nx">N</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sessionKey</span> <span class="o">=</span> <span class="nf">hashSHA256</span><span class="p">(</span><span class="nf">bigintToBytes</span><span class="p">(</span><span class="nx">S</span><span class="p">,</span> <span class="mi">256</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">clientProof</span> <span class="o">=</span> <span class="nf">hashSHA256</span><span class="p">(</span> <span class="nf">bigintToBytes</span><span class="p">(</span><span class="nx">A</span><span class="p">,</span> <span class="mi">256</span><span class="p">),</span> <span class="nf">bigintToBytes</span><span class="p">(</span><span class="nx">B</span><span class="p">,</span> <span class="mi">256</span><span class="p">),</span> <span class="nx">sessionKey</span><span class="p">,</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">clientProof</span><span class="p">,</span> <span class="nx">sessionKey</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Server Side: Go with crypto/rand </h3> <p>The server creates a session from the stored verifier and verifies the client's proof.</p> <p><strong>Session init</strong> -- compute B:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">NewSRPServer</span><span class="p">(</span><span class="n">verifier</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="o">*</span><span class="n">SRPServer</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">v</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">SetBytes</span><span class="p">(</span><span class="n">verifier</span><span class="p">)</span> <span class="k">if</span> <span class="n">v</span><span class="o">.</span><span class="n">Sign</span><span class="p">()</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"srp: zero verifier"</span><span class="p">)</span> <span class="p">}</span> <span class="n">b</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">randBigInt</span><span class="p">(</span><span class="m">256</span><span class="p">)</span> <span class="c">// 256 bits of entropy from crypto/rand</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// B = k*v + g^b mod N</span> <span class="n">kv</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Mul</span><span class="p">(</span><span class="n">srpK</span><span class="p">,</span> <span class="n">v</span><span class="p">)</span> <span class="n">gb</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Exp</span><span class="p">(</span><span class="n">srpG</span><span class="p">,</span> <span class="n">b</span><span class="p">,</span> <span class="n">srpN</span><span class="p">)</span> <span class="n">B</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span><span class="n">kv</span><span class="p">,</span> <span class="n">gb</span><span class="p">)</span> <span class="n">B</span><span class="o">.</span><span class="n">Mod</span><span class="p">(</span><span class="n">B</span><span class="p">,</span> <span class="n">srpN</span><span class="p">)</span> <span class="k">if</span> <span class="n">B</span><span class="o">.</span><span class="n">Sign</span><span class="p">()</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"srp: B is zero"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">SRPServer</span><span class="p">{</span><span class="n">verifier</span><span class="o">:</span> <span class="n">v</span><span class="p">,</span> <span class="n">b</span><span class="o">:</span> <span class="n">b</span><span class="p">,</span> <span class="n">B</span><span class="o">:</span> <span class="n">B</span><span class="p">},</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <p><strong>Proof verification</strong> -- the critical code path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">s</span> <span class="o">*</span><span class="n">SRPServer</span><span class="p">)</span> <span class="n">VerifyProof</span><span class="p">(</span><span class="n">clientA</span><span class="p">,</span> <span class="n">clientM1</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">A</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">SetBytes</span><span class="p">(</span><span class="n">clientA</span><span class="p">)</span> <span class="c">// Safety: A mod N != 0</span> <span class="k">if</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Mod</span><span class="p">(</span><span class="n">A</span><span class="p">,</span> <span class="n">srpN</span><span class="p">)</span><span class="o">.</span><span class="n">Sign</span><span class="p">()</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"srp: A mod N is zero"</span><span class="p">)</span> <span class="p">}</span> <span class="n">u</span> <span class="o">:=</span> <span class="n">computeU</span><span class="p">(</span><span class="n">A</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">B</span><span class="p">)</span> <span class="k">if</span> <span class="n">u</span><span class="o">.</span><span class="n">Sign</span><span class="p">()</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"srp: u is zero"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// S = (A * v^u)^b mod N</span> <span class="n">vu</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Exp</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">verifier</span><span class="p">,</span> <span class="n">u</span><span class="p">,</span> <span class="n">srpN</span><span class="p">)</span> <span class="n">avu</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Mul</span><span class="p">(</span><span class="n">A</span><span class="p">,</span> <span class="n">vu</span><span class="p">)</span> <span class="n">avu</span><span class="o">.</span><span class="n">Mod</span><span class="p">(</span><span class="n">avu</span><span class="p">,</span> <span class="n">srpN</span><span class="p">)</span> <span class="n">S</span> <span class="o">:=</span> <span class="nb">new</span><span class="p">(</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">)</span><span class="o">.</span><span class="n">Exp</span><span class="p">(</span><span class="n">avu</span><span class="p">,</span> <span class="n">s</span><span class="o">.</span><span class="n">b</span><span class="p">,</span> <span class="n">srpN</span><span class="p">)</span> <span class="n">nLen</span> <span class="o">:=</span> <span class="nb">len</span><span class="p">(</span><span class="n">srpN</span><span class="o">.</span><span class="n">Bytes</span><span class="p">())</span> <span class="n">K</span> <span class="o">:=</span> <span class="n">hashBytes</span><span class="p">(</span><span class="n">padTo</span><span class="p">(</span><span class="n">S</span><span class="p">,</span> <span class="n">nLen</span><span class="p">))</span> <span class="n">expectedM1</span> <span class="o">:=</span> <span class="n">hashBytes</span><span class="p">(</span><span class="n">padTo</span><span class="p">(</span><span class="n">A</span><span class="p">,</span> <span class="n">nLen</span><span class="p">),</span> <span class="n">padTo</span><span class="p">(</span><span class="n">s</span><span class="o">.</span><span class="n">B</span><span class="p">,</span> <span class="n">nLen</span><span class="p">),</span> <span class="n">K</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">constantTimeEqual</span><span class="p">(</span><span class="n">expectedM1</span><span class="p">,</span> <span class="n">clientM1</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">errors</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="s">"srp: client proof invalid"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Mutual auth: M2 = H(A | M1 | K)</span> <span class="n">M2</span> <span class="o">:=</span> <span class="n">hashBytes</span><span class="p">(</span><span class="n">padTo</span><span class="p">(</span><span class="n">A</span><span class="p">,</span> <span class="n">nLen</span><span class="p">),</span> <span class="n">clientM1</span><span class="p">,</span> <span class="n">K</span><span class="p">)</span> <span class="k">return</span> <span class="n">M2</span><span class="p">,</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> The Full Login Flow (HTTP level) </h3> <p>The login is a two-round-trip exchange:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /api/auth/login/init { email, clientPublicA } --&gt; { srpSalt, serverPublicB } POST /api/auth/login/verify { email, clientPublicA, clientProofM1 } --&gt; { sessionToken, serverProofM2, encryptedVaultKey } </span></code></pre> </div> <p>The client verifies M2 locally. If the server is an impersonator, M2 will not match and the client aborts. Mutual authentication complete.</p> <h2> Security Considerations </h2> <p>Getting the math right is necessary but not sufficient. Here are the implementation details that prevent real-world attacks:</p> <h3> 1. Constant-Time Comparison </h3> <p>Comparing M1 proof bytes must be constant-time to prevent timing side-channels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">constantTimeEqual</span><span class="p">(</span><span class="n">a</span><span class="p">,</span> <span class="n">b</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">a</span><span class="p">)</span> <span class="o">!=</span> <span class="nb">len</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="k">var</span> <span class="n">v</span> <span class="kt">byte</span> <span class="k">for</span> <span class="n">i</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">a</span> <span class="p">{</span> <span class="n">v</span> <span class="o">|=</span> <span class="n">a</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">^</span> <span class="n">b</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="p">}</span> <span class="k">return</span> <span class="n">v</span> <span class="o">==</span> <span class="m">0</span> <span class="p">}</span> </code></pre> </div> <p>An early-return comparison leaks how many bytes matched, which can be exploited byte-by-byte to forge a valid proof.</p> <h3> 2. Validating A mod N != 0 and B mod N != 0 </h3> <p>If <code>A mod N == 0</code>, the server's computation degenerates: the shared secret becomes 0 regardless of the password. An attacker could send <code>A = 0</code> or <code>A = N</code> or <code>A = 2N</code> to bypass authentication. The same applies to B on the client side.</p> <p>Both sides must reject these values before proceeding.</p> <h3> 3. Padding to Fixed Length </h3> <p>All BigInt-to-bytes conversions are padded to the full byte length of N (256 bytes for a 2048-bit group). Without padding, <code>H(A || B)</code> could collide with <code>H(A' || B')</code> when leading zero bytes are dropped.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">padTo</span><span class="p">(</span><span class="n">n</span> <span class="o">*</span><span class="n">big</span><span class="o">.</span><span class="n">Int</span><span class="p">,</span> <span class="n">length</span> <span class="kt">int</span><span class="p">)</span> <span class="p">[]</span><span class="kt">byte</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="n">n</span><span class="o">.</span><span class="n">Bytes</span><span class="p">()</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">b</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">length</span> <span class="p">{</span> <span class="k">return</span> <span class="n">b</span> <span class="p">}</span> <span class="n">padded</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="n">length</span><span class="p">)</span> <span class="nb">copy</span><span class="p">(</span><span class="n">padded</span><span class="p">[</span><span class="n">length</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">b</span><span class="p">)</span><span class="o">:</span><span class="p">],</span> <span class="n">b</span><span class="p">)</span> <span class="k">return</span> <span class="n">padded</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Verifier == Asymmetric Secret </h3> <p>The verifier <code>v = g^x mod N</code> acts like a public key: the server can verify proofs with it, but cannot derive the password from it. Even if the verifier database is exfiltrated, the attacker must solve the discrete logarithm problem (in a 2048-bit group) to recover the password -- computationally infeasible.</p> <h3> 5. Rate Limiting and Anti-Enumeration </h3> <p>SRP does not protect against online brute-force. Auth Box adds per-email rate limiting (5 attempts per 5-minute window) and returns identical error messages for "user not found" and "wrong password" to prevent email enumeration.</p> <h2> What We Learned </h2> <p>Building SRP-6a from scratch (rather than using a library) forced decisions that would otherwise be invisible:</p> <ul> <li> <strong>BigInt is production-ready in browsers</strong>: Native <code>BigInt</code> arithmetic in TypeScript is fast enough for 2048-bit modular exponentiation. No WASM needed.</li> <li> <strong>Padding is the silent killer</strong>: The most insidious bug was not padding <code>g</code> to N's byte length when computing <code>k = H(N || PAD(g))</code>. Client and server computed different <code>k</code> values and the handshake silently failed. Both sides must use identical padding.</li> <li> <strong>Session key derivation matters</strong>: We derive <code>K = H(S)</code> rather than using <code>S</code> directly. The raw shared secret has algebraic structure; hashing it produces a uniformly distributed key suitable for symmetric crypto.</li> <li> <strong>Test the full round-trip in a single language first</strong>: Our Go test file includes a <code>computeClientSide</code> function that mirrors the TypeScript client. This catches cross-language mismatches (endianness, padding, hash input ordering) before they hit the network.</li> </ul> <h2> Try It Yourself </h2> <p>Auth Box is open source under the MIT license:</p> <p><strong>Repository</strong>: <a href="https://github.com/MARUCIE/authbox" rel="noopener noreferrer">github.com/MARUCIE/authbox</a></p> <p>Key files for the SRP implementation:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>File</th> <th>Language</th> <th>Role</th> </tr> </thead> <tbody> <tr> <td><code>packages/crypto/src/srp.ts</code></td> <td>TypeScript</td> <td>Client-side SRP-6a (BigInt + <a class="mentioned-user" href="https://dev.to/noble">@noble</a>/hashes)</td> </tr> <tr> <td><code>services/api/internal/auth/srp.go</code></td> <td>Go</td> <td>Server-side SRP-6a (crypto/rand + math/big)</td> </tr> <tr> <td><code>services/api/internal/auth/srp_test.go</code></td> <td>Go</td> <td>Round-trip tests (6 test cases)</td> </tr> <tr> <td><code>apps/web/lib/auth.ts</code></td> <td>TypeScript</td> <td>Full registration and login flows</td> </tr> </tbody> </table></div> <p>To run the SRP tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>services/api <span class="o">&amp;&amp;</span> go <span class="nb">test</span> ./internal/auth/ <span class="nt">-v</span> <span class="nt">-run</span> SRP </code></pre> </div> <p>The crypto layer beyond SRP includes Argon2id key derivation, AES-256-GCM vault encryption, BIP-39 seed phrases for recovery, and Arweave-based vault archival. All zero-knowledge, all client-side.</p> <p>Maurice | <a href="mailto:maurice_wen@proton.me">maurice_wen@proton.me</a></p> cybersecurity opensource privacy security