Difference between revisions of "XMPP IM Client Design Guidelines"
Jump to navigation
Jump to search
Neustradamus (talk | contribs) m |
Neustradamus (talk | contribs) m |
||
Line 118: | Line 118: | ||
== Implement SCRAM-SHA-1 == | == Implement SCRAM-SHA-1 / SCRAM-SHA-256 / SCRAM-SHA-512 / SCRAM-SHA3-512 == | ||
=== Description === | === Description === | ||
Line 124: | Line 124: | ||
Do '''not''': Implement DIGEST-MD5 or CRAM-MD5. These mechanisms only work if the server has access to the plain password. | Do '''not''': Implement DIGEST-MD5 or CRAM-MD5. These mechanisms only work if the server has access to the plain password. | ||
Do: Implement SCRAM-SHA-1 and PLAIN. | Do: Implement SCRAM-SHA-1 / SCRAM-SHA-256 / SCRAM-SHA-512 / SCRAM-SHA3-512 and PLAIN. | ||
=== Rationale === | === Rationale === | ||
Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 only protect the password in transit – the mechanisms can't work if the server wants to store the password hashed and salted. SCRAM | Hashing and salting passwords helps making it hard to retrieve the plain password from a compromised server. However, we would also like to be able to protect the password while it is in transit. These two concepts are difficult to combine: DIGEST-MD5 and CRAM-MD5 only protect the password in transit – the mechanisms can't work if the server wants to store the password hashed and salted. SCRAM fixes that and supports both hashed storage and hashed transmission. | ||
While it would be nice to deprecate PLAIN, it is still needed for servers who use a different hashing mechanism than SCRAM | While it would be nice to deprecate PLAIN, it is still needed for servers who use a different hashing mechanism than SCRAM needs. | ||
See [[SASL and SCRAM-SHA-1(-PLUS) / SCRAM-SHA-256(-PLUS)]] for help with implementing SCRAM-SHA-1. | See [[SASL and SCRAM-SHA-1(-PLUS) / SCRAM-SHA-256(-PLUS) / SCRAM-SHA-512(-PLUS)]] for help with implementing SCRAM-SHA-1 / SCRAM-SHA-256 / SCRAM-SHA-512 / SCRAM-SHA3-512. |