216
edits
Difference between revisions of "SASL Authentication and SCRAM"
Jump to navigation
Jump to search
m
SASL Authentication and SCRAM (view source)
Revision as of 07:06, 16 August 2022
, 07:06, 16 August 2022no edit summary
Neustradamus (talk | contribs) m |
Neustradamus (talk | contribs) m |
||
| (11 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== Introduction == | == Introduction == | ||
=== SCRAM-SHA-1(-PLUS) === | === SCRAM-SHA-1(-PLUS) === | ||
| Line 11: | Line 8: | ||
Its main benefits are in offering both a method to salt and hash the password in storage and in transit. This page aims to give a short introduction on how to implement it in a client. | Its main benefits are in offering both a method to salt and hash the password in storage and in transit. This page aims to give a short introduction on how to implement it in a client. | ||
With changes from TLS 1.2 to TLS 1.3, an | With changes from TLS 1.2 to TLS 1.3, an RFC has been done: [https://tools.ietf.org/html/rfc9266 RFC9266: Channel Bindings for TLS 1.3]. | ||
=== SCRAM-SHA-256(-PLUS) === | === SCRAM-SHA-256(-PLUS) === | ||
| Line 18: | Line 15: | ||
Already integrated by several XMPP softwares: | Already integrated by several XMPP softwares: | ||
* Servers: DJabberd 0.90+, Erlang Solutions MongooseIM 3.7+, Isode M-Link, Jackal IM, Metronome IM, ProcessOne ejabberd 20.12+, Prosody IM 0.12.x, Tigase XMPP Server 8.0+ | * Servers: DJabberd 0.90+, Erlang Solutions MongooseIM 3.7+, Isode M-Link, Jackal IM, Metronome IM, ProcessOne ejabberd 20.12+, Prosody IM 0.12.x, Tigase XMPP Server 8.0+ | ||
* Clients: Conversations, CoyIM, eyeCU, Gajim 1.2.0+, KDE Kaidan, Miranda NG, Mozilla Thunderbird 71 | * Clients: Conversations, CoyIM, eyeCU, Gajim 1.2.0+, KDE Kaidan, Miranda NG, Mozilla Thunderbird 71 (XMPP only), Psi/Psi+ (with QCA), Tigase Beagle IM, Tigase Siskin IM, Tigase Stork IM, UWPX, Vacuum IM | ||
* Libraries: cr-xmpp, libstrophe, Mellium XMPP, python-nbxmpp, QXmpp, Tigase JaXMPP, TigaseSwift, Stanza, Wocky, xmpp-rs | * Libraries: cr-xmpp, libstrophe, liangdefeng/Sharp.Xmpp.Client, Mellium XMPP, processone/xmpp, python-nbxmpp, QXmpp, Tigase JaXMPP, TigaseSwift, Stanza, Wocky, xmpp-rs | ||
Others: | Others: | ||
* aiokafka, aiosasl, Atheme, Auth_SASL/Auth_SASL2, Authen-SCRAM, cassandra-secure-plugin, ba0f3/scram.nim, Couchbase, Cyrus SASL, Dovecot, Erlang Solutions Escalus, Exim (with gsasl), fast_scram, GNU SASL (gsasl) 1.9.1+, Haystack, Kafka, ldaptive, MailKit, Mellium SASL, Memcached, MongoDB, MySQL 8.0.23+, NeoMutt, ongres/scram, OpenDJ, passlib.hash.scram, PhysoTronic/SASL-SCRAM-SHA256, PostgreSQL 10+, pwithnall/libscram, PyMongo 3.7, Rust SASL, Rust SCRAM, Skyspark, SquirelMail, tlocke/scramp, trondn/java-sasl-scram-sha1, UnboundID LDAP SDK, Vert.x SCRAM, WildFly Elytron, xdg-go/scram, xmpp-webhook | * aiokafka, aiosasl, Atheme, Auth_SASL/Auth_SASL2, Authen-SCRAM, cassandra-secure-plugin, ba0f3/scram.nim, Couchbase, Cyrus SASL, DataEnter CryptoFilter, DataEnter POPBeamer, DataEnter SMTPBeamer, DataEnter XWall, Dovecot, Erlang Solutions Escalus, Exim (with gsasl), fast_scram, GNU SASL (gsasl) 1.9.1+, Haystack, Kafka, ldaptive, libmongoc, MailKit/MimeKit, Mellium SASL, Memcached, MongoDB, mpop, msmtp, MySQL 8.0.23+, NeoMutt, ogrebgr/scram-sasl, ongres/scram, OpenDJ, passlib.hash.scram, Pgpool-II/pgpoolAdmin 4.0.0, PhysoTronic/SASL-SCRAM-SHA256, PostgreSQL 10+, puppetlabs-postgresql, pwithnall/libscram, PyMongo 3.7, Rust SASL, Rust SCRAM, SnappyMail, supercaracal/scram-sha-256, Skyspark, SquirelMail, tlocke/scramp, Tigase TTS-NG, trondn/java-sasl-scram-sha1, UnboundID LDAP SDK, Vert.x SCRAM, WildFly Elytron, xdg-go/scram, xmpp-webhook, YugabyteDB 2.5 | ||
=== SCRAM-SHA-512(-PLUS) === | === SCRAM-SHA-512(-PLUS) === | ||
| Line 30: | Line 27: | ||
* Servers: DJabberd 0.90+, Erlang Solutions MongooseIM 3.7+, Isode M-Link, Jackal IM, Metronome IM, ProcessOne ejabberd 20.12+, Tigase XMPP Server 8.0+ | * Servers: DJabberd 0.90+, Erlang Solutions MongooseIM 3.7+, Isode M-Link, Jackal IM, Metronome IM, ProcessOne ejabberd 20.12+, Tigase XMPP Server 8.0+ | ||
* Clients: Conversations, CoyIM, eyeCU, KDE Kaidan, Miranda NG, Psi/Psi+ (with QCA), Tigase Stork IM, Vacuum IM | * Clients: Conversations, CoyIM, eyeCU, KDE Kaidan, Miranda NG, Psi/Psi+ (with QCA), Tigase Stork IM, Vacuum IM | ||
* Libraries: cr-xmpp, libstrophe, QXmpp, Tigase JaXMPP, Wocky | * Libraries: cr-xmpp, liangdefeng/Sharp.Xmpp.Client, libstrophe, processone/xmpp, python-nbxmpp, QXmpp, Tigase JaXMPP, Wocky, processone/xmpp | ||
Others: | Others: | ||
* aiokafka, Atheme, Auth_SASL/Auth_SASL2, Authen-SCRAM, ba0f3/scram.nim, Couchbase, Cyrus SASL, Dovecot, Erlang Solutions Escalus, fast_scram, Haystack, Kafka, ldaptive, MailKit, Memcached, NeoMutt, OpenDJ, passlib.hash.scram, pwithnall/libscram, Skyspark, trondn/java-sasl-scram-sha1, UnboundID LDAP SDK, WildFly Elytron | * aiokafka, Atheme, Auth_SASL/Auth_SASL2, Authen-SCRAM, ba0f3/scram.nim, Couchbase, Cyrus SASL, DataEnter CryptoFilter, DataEnter POPBeamer, DataEnter SMTPBeamer, DataEnter XWall, Dovecot, Erlang Solutions Escalus, fast_scram, Haystack, Kafka, ldaptive, MailKit/MimeKit, Memcached, NeoMutt, ogrebgr/scram-sasl, OpenDJ, passlib.hash.scram, pwithnall/libscram, Skyspark, tlocke/scramp, Tigase TTS-NG, trondn/java-sasl-scram-sha1, UnboundID LDAP SDK, WildFly Elytron | ||
=== SCRAM-SHA3-512(-PLUS) === | === SCRAM-SHA3-512(-PLUS) === | ||
| Line 39: | Line 36: | ||
Already integrated by several XMPP softwares: | Already integrated by several XMPP softwares: | ||
* Servers: Jackal IM | |||
* Clients: KDE Kaidan | * Clients: KDE Kaidan | ||
* Libraries: QXmpp | * Libraries: QXmpp | ||
Others: | |||
* ba0f3/scram.nim, tlocke/scramp | |||
=== Order === | === Order === | ||
| Line 210: | Line 211: | ||
Server's server signature (hex): <code>ae617da6a57c4bbb2e0286568dae1d251905b0a4</code> | Server's server signature (hex): <code>ae617da6a57c4bbb2e0286568dae1d251905b0a4</code> | ||
== | == Further Reading == | ||
== Channel Bindings == | === Channel Bindings === | ||
* [https://tools.ietf.org/html/rfc5056 RFC5056: On the Use of Channel Bindings to Secure Channels] | * [https://tools.ietf.org/html/rfc5056 RFC5056: On the Use of Channel Bindings to Secure Channels] | ||
* [https://tools.ietf.org/html/rfc5929 RFC5929: Channel Bindings for TLS] | * [https://tools.ietf.org/html/rfc5929 RFC5929: Channel Bindings for TLS] | ||
* [https://tools.ietf.org/html/rfc9266 RFC9266: Channel Bindings for TLS 1.3] | |||
* [https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml Channel-Binding Types] | * [https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml Channel-Binding Types] | ||
== | === Other Related Protocols === | ||
* [https://tools.ietf.org/html/draft-melnikov-scram-bis Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: draft-melnikov-scram-bis] | |||
* [https://tools.ietf.org/html/rfc9051 RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2] | |||
* [https://tools.ietf.org/html/rfc5803 RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets] | * [https://tools.ietf.org/html/rfc5803 RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets] | ||
* [https://tools.ietf.org/html/rfc7804 RFC7804: Salted Challenge Response HTTP Authentication Mechanism] | * [https://tools.ietf.org/html/rfc7804 RFC7804: Salted Challenge Response HTTP Authentication Mechanism] | ||
* [https://tools.ietf.org/html/draft-ietf-kitten-scram-2fa Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: draft-ietf-kitten-scram-2fa] | |||
* [https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml Simple Authentication and Security Layer (SASL) Mechanisms] | |||
* [https://github.com/scram-sasl/info/issues/1 SCRAM-SASL State of Play] | |||
* [https://tools.ietf.org/html/draft- | |||