Difference between revisions of "SASL Authentication and SCRAM"

Jump to navigation Jump to search
m
no edit summary
m
m
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
[https://tools.ietf.org/html/rfc5802 SCRAM-SHA-1] is a SASL mechanism improving on [[SASLandDIGEST-MD5|DIGEST-MD5]]. Its main benefits are in offering both a method to salt and hash the password in storage and in transit. This page aims to give a short introduction on how to implement it in a client.
== State of Play ==
Go here: https://github.com/scram-xmpp/info/issues/1


Note: There is an update of SCRAM-SHA-1/SCRAM-SHA-1-PLUS: "[https://tools.ietf.org/html/rfc5802 Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms]"
== Introduction ==
  [https://tools.ietf.org/html/rfc7677 RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms]
=== SCRAM-SHA-1(-PLUS) ===
[https://tools.ietf.org/html/rfc5802 Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms (SCRAM-SHA-1(-PLUS)] is a SASL mechanism improving on [[SASL and DIGEST-MD5|DIGEST-MD5]].


== Overview ==
* [https://tools.ietf.org/html/rfc6331 RFC6331: Moving DIGEST-MD5 to Historic]
* CRAM-MD5 to Historic ([https://tools.ietf.org/html/draft-ietf-sasl-crammd5-to-historic-00 draft-ietf-sasl-crammd5-to-historic-00] + [https://tools.ietf.org/html/draft-zeilenga-luis140219-crammd5-to-historic-00 draft-zeilenga-luis140219-crammd5-to-historic-00])
 
Its main benefits are in offering both a method to salt and hash the password in storage and in transit. This page aims to give a short introduction on how to implement it in a client.
 
With changes from TLS 1.2 to TLS 1.3, an Internet-Draft is in progress for TLS Binding and TLS 1.3: [https://tools.ietf.org/html/draft-ietf-kitten-tls-channel-bindings-for-tls13 Channel Bindings for TLS 1.3: draft-ietf-kitten-tls-channel-bindings-for-tls13].
 
=== SCRAM-SHA-256(-PLUS) ===
Please note that there is now [https://tools.ietf.org/html/rfc7677 RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms] (since November 2015).
 
Already integrated by several XMPP softwares:
* Servers: DJabberd 0.90+, Erlang Solutions MongooseIM 3.7+, Isode M-Link, Jackal IM, Metronome IM, ProcessOne ejabberd 20.12+, Prosody IM 0.12.x, Tigase XMPP Server 8.0+
* Clients: Conversations, CoyIM, eyeCU, Gajim 1.2.0+, KDE Kaidan, Miranda NG, Mozilla Thunderbird 71+, Psi/Psi+ (with QCA), Tigase Beagle IM, Tigase Siskin IM, Tigase Stork IM, UWPX, Vacuum IM
* Libraries: cr-xmpp, libstrophe, Mellium XMPP, python-nbxmpp, QXmpp, Tigase JaXMPP, TigaseSwift, Stanza, Wocky, xmpp-rs
 
Others:
* aiokafka, aiosasl, Atheme, Auth_SASL/Auth_SASL2, Authen-SCRAM, cassandra-secure-plugin, ba0f3/scram.nim, Couchbase, Cyrus SASL, Dovecot, Erlang Solutions Escalus, Exim (with gsasl), fast_scram, GNU SASL (gsasl) 1.9.1+, Haystack, Kafka, ldaptive, MailKit, Mellium SASL, Memcached, MongoDB, MySQL 8.0.23+, NeoMutt, ongres/scram, OpenDJ, passlib.hash.scram, PhysoTronic/SASL-SCRAM-SHA256, PostgreSQL 10+, pwithnall/libscram, PyMongo 3.7, Rust SASL, Rust SCRAM, Skyspark, SquirelMail, tlocke/scramp, trondn/java-sasl-scram-sha1, UnboundID LDAP SDK, Vert.x SCRAM, WildFly Elytron, xdg-go/scram, xmpp-webhook
 
=== SCRAM-SHA-512(-PLUS) ===
Possibly, also adding [https://tools.ietf.org/html/draft-melnikov-scram-sha-512 SCRAM-SHA-512 and SCRAM-SHA-512-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: draft-melnikov-scram-sha-512]
 
Already integrated by several XMPP softwares:
* Servers: DJabberd 0.90+, Erlang Solutions MongooseIM 3.7+, Isode M-Link, Jackal IM, Metronome IM, ProcessOne ejabberd 20.12+, Tigase XMPP Server 8.0+
* Clients: Conversations, CoyIM, eyeCU, KDE Kaidan, Miranda NG, Psi/Psi+ (with QCA), Tigase Stork IM, Vacuum IM
* Libraries: cr-xmpp, libstrophe, QXmpp, Tigase JaXMPP, Wocky
 
Others:
* aiokafka, Atheme, Auth_SASL/Auth_SASL2, Authen-SCRAM, ba0f3/scram.nim, Couchbase, Cyrus SASL, Dovecot, Erlang Solutions Escalus, fast_scram, Haystack, Kafka, ldaptive, MailKit, Memcached, NeoMutt, OpenDJ, passlib.hash.scram, pwithnall/libscram, Skyspark, trondn/java-sasl-scram-sha1, UnboundID LDAP SDK, WildFly Elytron
 
=== SCRAM-SHA3-512(-PLUS) ===
Possibly, also adding [https://tools.ietf.org/html/draft-melnikov-scram-sha3-512 SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: draft-melnikov-scram-sha3-512]
 
Already integrated by several XMPP softwares:
* Servers: Jackal IM
* Clients: KDE Kaidan
* Libraries: QXmpp
 
=== Order ===
<span style="color:#FF0000">Warning:</span> In [https://tools.ietf.org/html/rfc8600 RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange] (June 2019):
 
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
 
<span style="color:#FF0000">But it has been changed</span> in [https://tools.ietf.org/html/draft-ietf-kitten-password-storage-02 draft-ietf-kitten-password-storage-02] (2020)
* SCRAM-SHA-256-PLUS
* SCRAM-SHA-1-PLUS
* SCRAM-SHA-256
* SCRAM-SHA-1
 
== SCRAM-SHA-1(-PLUS) ==
=== Overview ===


The basic overview of how this mechanism works is:
The basic overview of how this mechanism works is:
Line 16: Line 67:
The cryptographic algorithms needed are [https://tools.ietf.org/html/rfc3174 SHA-1], [https://tools.ietf.org/html/rfc2104 HMAC] with SHA-1 and [https://tools.ietf.org/html/rfc2898 PBKDF2] with SHA-1. It is advised to find libraries to use these algorithms instead of implementing them from scratch.
The cryptographic algorithms needed are [https://tools.ietf.org/html/rfc3174 SHA-1], [https://tools.ietf.org/html/rfc2104 HMAC] with SHA-1 and [https://tools.ietf.org/html/rfc2898 PBKDF2] with SHA-1. It is advised to find libraries to use these algorithms instead of implementing them from scratch.


== In detail ==
=== In detail ===


<ol>
<ol>
Line 104: Line 155:
</ol>
</ol>


== Extras ==
=== Extras ===


This is the basic version of the algorithm. You can extend it to do:
This is the basic version of the algorithm. You can extend it to do:
Line 110: Line 161:
* Channel binding. This mixes in some information from the TLS connection to the procedure to prevent MitM attacks.
* Channel binding. This mixes in some information from the TLS connection to the procedure to prevent MitM attacks.
* Hashed storage. If the server always sends the same salt and i values, then the client can store only <code>clientKey</code>, instead of the user's password. This is more secure (as the client doesn't need to store the password, just a hard to reverse salt) and faster, as the client doesn't need to do all the hashing every time.
* Hashed storage. If the server always sends the same salt and i values, then the client can store only <code>clientKey</code>, instead of the user's password. This is more secure (as the client doesn't need to store the password, just a hard to reverse salt) and faster, as the client doesn't need to do all the hashing every time.
* Possibly, also adding SCRAM-SHA-256 ([https://datatracker.ietf.org/doc/draft-hansen-scram-sha256/ currently in draft]) (though server support seems non-existent).


== Common pitfalls ==
=== Common pitfalls ===


* Don't assume anything about the length of the nonces or salt (though if you generate them, make sure they are long enough and cryptographically random).
* Don't assume anything about the length of the nonces or salt (though if you generate them, make sure they are long enough and cryptographically random).
Line 119: Line 169:
* The <code>initialMessage</code> part of the <code>authMessage</code> does not include the GS2 header (in most situations, this is <code>"n,,"</code>).
* The <code>initialMessage</code> part of the <code>authMessage</code> does not include the GS2 header (in most situations, this is <code>"n,,"</code>).


== Test vectors ==
=== Test vectors ===


Here is a complete example:
Here is a complete example:
Line 160: Line 210:


Server's server signature (hex): <code>ae617da6a57c4bbb2e0286568dae1d251905b0a4</code>
Server's server signature (hex): <code>ae617da6a57c4bbb2e0286568dae1d251905b0a4</code>
== SCRAM-SHA-256(-PLUS) ==
Possibly, also adding [https://tools.ietf.org/html/rfc7677 RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms]
=== Overview ===
=== In detail ===
=== Extras ===
=== Common pitfalls ===
=== Test vectors ===
== SCRAM-SHA-512(-PLUS) ==
Possibly, also adding [https://tools.ietf.org/html/draft-melnikov-scram-sha-512 SCRAM-SHA-512 and SCRAM-SHA-512-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: draft-melnikov-scram-sha-512]
=== Overview ===
=== In detail ===
=== Extras ===
=== Common pitfalls ===
=== Test vectors ===
== SCRAM-SHA3-512(-PLUS) ==
Possibly, also adding [https://tools.ietf.org/html/draft-melnikov-scram-sha3-512 SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: draft-melnikov-scram-sha3-512]
=== Overview ===
=== In detail ===
=== Extras ===
=== Common pitfalls ===
=== Test vectors ===
== Channel Bindings ==
* [https://tools.ietf.org/html/rfc5056 RFC5056: On the Use of Channel Bindings to Secure Channels]
* [https://tools.ietf.org/html/rfc5929 RFC5929: Channel Bindings for TLS]
* [https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml Channel-Binding Types]
* [https://tools.ietf.org/html/draft-ietf-kitten-tls-channel-bindings-for-tls13 Channel Bindings for TLS 1.3: draft-ietf-kitten-tls-channel-bindings-for-tls13]
== IANA ==
* [https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml Simple Authentication and Security Layer (SASL) Mechanisms]
== LDAP ==
* [https://tools.ietf.org/html/rfc5803 RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets]
== HTTP ==
* [https://tools.ietf.org/html/rfc7804 RFC7804: Salted Challenge Response HTTP Authentication Mechanism]
== 2FA ==
* [https://tools.ietf.org/html/draft-melnikov-scram-2fa Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: draft-melnikov-scram-2fa]
216

edits

Navigation menu