Difference between revisions of "XMPP IM Client Design Guidelines"

Jump to navigation Jump to search
m
no edit summary
m
m
Line 118: Line 118:




== Implement SCRAM-SHA-1 ==
== Implement SCRAM-SHA-1 / SCRAM-SHA-256 / SCRAM-SHA-512 / SCRAM-SHA3-512 ==


=== Description ===
=== Description ===
Line 124: Line 124:
Do '''not''': Implement DIGEST-MD5 or CRAM-MD5. These mechanisms only work if the server has access to the plain password.
Do '''not''': Implement DIGEST-MD5 or CRAM-MD5. These mechanisms only work if the server has access to the plain password.


Do: Implement SCRAM-SHA-1 and PLAIN.
Do: Implement SCRAM-SHA-1 / SCRAM-SHA-256 / SCRAM-SHA-512 / SCRAM-SHA3-512 and PLAIN.


=== Rationale ===
=== Rationale ===


Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 only protect the password in transit – the mechanisms can't work if the server wants to store the password hashed and salted. SCRAM-SHA-1 fixes that and supports both hashed storage and hashed transmission.
Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 only protect the password in transit – the mechanisms can't work if the server wants to store the password hashed and salted. SCRAM fixes that and supports both hashed storage and hashed transmission.


While it would be nice to deprecate PLAIN, it is still needed for servers who use a different hashing mechanism than SCRAM-SHA-1 needs.
While it would be nice to deprecate PLAIN, it is still needed for servers who use a different hashing mechanism than SCRAM needs.


See [[SASL and SCRAM-SHA-1(-PLUS) / SCRAM-SHA-256(-PLUS)]] for help with implementing SCRAM-SHA-1.
See [[SASL and SCRAM-SHA-1(-PLUS) / SCRAM-SHA-256(-PLUS) / SCRAM-SHA-512(-PLUS)]] for help with implementing SCRAM-SHA-1 / SCRAM-SHA-256 / SCRAM-SHA-512 / SCRAM-SHA3-512.
216

edits

Navigation menu