[Standards] SCRAM interoperability
xramtsov at gmail.com
Thu Jan 24 14:38:34 UTC 2019
Can someone please clarify how to maintain ineroperablity of
SCRAM-SHA1 vs SCRAM-SHA256 vs SCRAM-SHA-WHATEVER, e.g.
when some clients support SCRAM-SHA1 only, but the password
was created in SCRAM-SHA256 format. I know it's still
possible to authenticate via PLAIN, however:
1) Using PLAIN creates a potential DoS for the server
due to expensive HMAC computational rounds.
2) Some admins prefer to disable PLAIN completely.
3) A client may see PLAIN as a downgrade attack. This
can happen when the password was changed from another client
with an incompatible SCRAM version.
Another problem is with "-PLUS" formats. RFC 7677 states:
> After publication of [RFC5802], it was discovered that Transport
> Layer Security (TLS) [RFC5246] does not have the expected properties
> for the "tls-unique" channel binding to be secure [RFC7627]
Does that mean that "-PLUS" doesn't provide additional security
and is now useless?
And yet another problem is that SCRAM is
unusable with third-party services such as STUN/TURN or SIP
which support only DIGEST HTTP-like authentication and
thus preventing from sharing the same credentials between
I'd like to see XSF taking a clear position on this
as well as creating some recommendation for the implementors
because the disambiguation creates interoperability problems.
More information about the Standards