I’m in the designing stages of a custom tcp/ip protocol for mobile client-server communication. When not required (data is not sensitive), I’d like to avoid using SSL for overhead reasons (both in handshake latency and conserving cycles).

My question is, what is the best practices way of transmitting authentication information over an unencrypted connection?

Currently, I’m liking SRP or J-PAKE (they generate secure session tokens, are hash/salt friendly, and allow kicking into TLS when necessary), which I believe are both implemented in OpenSSL. However, I am a bit wary since I don’t see many people using these algorithms for this purpose. Would also appreciate pointers to any materials discussing this topic in general, since I had trouble finding any.

Edit

Perhaps the question should have been: is there a best practices approach for secure passwords over unencrypted tcp/ip? If not, what are the reasons for selecting a particular method over others? (The Rooks answer is closest in spirit to this question so far, even if it does violate the letter).

Edit, part deux

I’m primarily interested in the case of client-server authentication, where there is an expectation that both parties have a shared secret (password) a priori.