Vlad, This is not how good protocols work; they rather create high-entry symmetric keys which are encrypted by public keys, then exchanged and used for encrypting payloads.
SRP could have been widely used but Lucent killed it by requiring licenses so it will never be featured in browsers. Anders Vlad Avdeev wrote:
RSA is useless for WEB. An eavesdropper acquire server public key, client public key, encrypted password, take a dictionary of passwords, encrypt every possible passowd and compare result. There is only one encription needed to check one password from a dictionary or 30^6 checks to test all up to 6 character passwords. There is RFC 2945 - The SRP Authentication and Key Exchange System . http://en.wikipedia.org/wiki/Secure_remote_password_protocol RSA encryption will give a false sense of security to web programmers.
