[Standards] SCRAM interoperability

Evgeny xramtsov at gmail.com
Thu Jan 24 14:38:34 UTC 2019


Hi there.

Can someone please clarify how to maintain ineroperablity of
SCRAM-SHA1 vs SCRAM-SHA256 vs SCRAM-SHA-WHATEVER, e.g.
when some clients support SCRAM-SHA1 only, but the password
was created in SCRAM-SHA256 format. I know it's still
possible to authenticate via PLAIN, however:

1) Using PLAIN creates a potential DoS for the server
due to expensive HMAC computational rounds.
2) Some admins prefer to disable PLAIN completely.
3) A client may see PLAIN as a downgrade attack. This
can happen when the password was changed from another client
with an incompatible SCRAM version.

Another problem is with "-PLUS" formats. RFC 7677 states:

 > After publication of [RFC5802], it was discovered that Transport
 > Layer Security (TLS) [RFC5246] does not have the expected properties
 > for the "tls-unique" channel binding to be secure [RFC7627]

Does that mean that "-PLUS" doesn't provide additional security
and is now useless?

And yet another problem is that SCRAM is
unusable with third-party services such as STUN/TURN or SIP
which support only DIGEST HTTP-like authentication and
thus preventing from sharing the same credentials between
the services.

I'd like to see XSF taking a clear position on this
as well as creating some recommendation for the implementors
because the disambiguation creates interoperability problems.



More information about the Standards mailing list