1
2
3
4NETWORK WORKING GROUP                                       A. Menon-Sen
5Internet-Draft                                    Oryx Mail Systems GmbH
6Intended status: Standards Track                             A. Melnikov
7Expires: February 1, 2010                                      Isode Ltd
8                                                               C. Newman
9                                                             N. Williams
10                                                        Sun Microsystems
11                                                           July 31, 2009
12
13
14            Salted Challenge Response (SCRAM) SASL Mechanism
15                      draft-ietf-sasl-scram-04.txt
16
17Status of this Memo
18
19   This Internet-Draft is submitted to IETF in full conformance with the
20   provisions of BCP 78 and BCP 79.
21
22   Internet-Drafts are working documents of the Internet Engineering
23   Task Force (IETF), its areas, and its working groups.  Note that
24   other groups may also distribute working documents as Internet-
25   Drafts.
26
27   Internet-Drafts are draft documents valid for a maximum of six months
28   and may be updated, replaced, or obsoleted by other documents at any
29   time.  It is inappropriate to use Internet-Drafts as reference
30   material or to cite them other than as "work in progress."
31
32   The list of current Internet-Drafts can be accessed at
33   http://www.ietf.org/ietf/1id-abstracts.txt.
34
35   The list of Internet-Draft Shadow Directories can be accessed at
36   http://www.ietf.org/shadow.html.
37
38   This Internet-Draft will expire on February 1, 2010.
39
40Copyright Notice
41
42   Copyright (c) 2009 IETF Trust and the persons identified as the
43   document authors.  All rights reserved.
44
45   This document is subject to BCP 78 and the IETF Trust's Legal
46   Provisions Relating to IETF Documents in effect on the date of
47   publication of this document (http://trustee.ietf.org/license-info).
48   Please review these documents carefully, as they describe your rights
49   and restrictions with respect to this document.
50
51
52
53
54
55Menon-Sen, et al.       Expires February 1, 2010                [Page 1]
56
57Internet-Draft                    SCRAM                        July 2009
58
59
60Abstract
61
62   The secure authentication mechanism most widely deployed and used by
63   Internet application protocols is the transmission of clear-text
64   passwords over a channel protected by Transport Layer Security (TLS).
65   There are some significant security concerns with that mechanism,
66   which could be addressed by the use of a challenge response
67   authentication mechanism protected by TLS.  Unfortunately, the
68   challenge response mechanisms presently on the standards track all
69   fail to meet requirements necessary for widespread deployment, and
70   have had success only in limited use.
71
72   This specification describes a family of Simple Authentication and
73   Security Layer (SASL, RFC 4422) authentication mechanisms called the
74   Salted Challenge Response Authentication Mechanism (SCRAM), which
75   addresses the security concerns and meets the deployability
76   requirements.  When used in combination with TLS or an equivalent
77   security layer, a mechanism from this family could improve the
78   status-quo for application protocol authentication and provide a
79   suitable choice for a mandatory-to-implement mechanism for future
80   application protocol standards.
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111Menon-Sen, et al.       Expires February 1, 2010                [Page 2]
112
113Internet-Draft                    SCRAM                        July 2009
114
115
116Table of Contents
117
118   1.          Conventions Used in This Document  . . . . . . . . . .  4
119   1.1.        Terminology  . . . . . . . . . . . . . . . . . . . . .  4
120   1.2.        Notation . . . . . . . . . . . . . . . . . . . . . . .  5
121   2.          Introduction . . . . . . . . . . . . . . . . . . . . .  7
122   3.          SCRAM Algorithm Overview . . . . . . . . . . . . . . .  9
123   4.          SCRAM Mechanism Names  . . . . . . . . . . . . . . . . 10
124   5.          SCRAM Authentication Exchange  . . . . . . . . . . . . 11
125   5.1.        SCRAM Attributes . . . . . . . . . . . . . . . . . . . 12
126   6.          Channel Binding  . . . . . . . . . . . . . . . . . . . 15
127   6.1.        Default Channel Binding  . . . . . . . . . . . . . . . 16
128   7.          Formal Syntax  . . . . . . . . . . . . . . . . . . . . 17
129   8.          SCRAM as a GSS-API Mechanism . . . . . . . . . . . . . 20
130   8.1.        GSS-API Principal Name Types for SCRAM . . . . . . . . 20
131   8.2.        GSS-API Per-Message Tokens for SCRAM . . . . . . . . . 20
132   8.3.        GSS_Pseudo_random() for SCRAM  . . . . . . . . . . . . 21
133   9.          Security Considerations  . . . . . . . . . . . . . . . 22
134   10.         IANA Considerations  . . . . . . . . . . . . . . . . . 24
135   11.         Acknowledgements . . . . . . . . . . . . . . . . . . . 26
136   Appendix A. Other Authentication Mechanisms  . . . . . . . . . . . 27
137   Appendix B. Design Motivations . . . . . . . . . . . . . . . . . . 28
138   Appendix C. Internet-Draft Change History  . . . . . . . . . . . . 29
139   12.         References . . . . . . . . . . . . . . . . . . . . . . 31
140   12.1.       Normative References . . . . . . . . . . . . . . . . . 31
141   12.2.       Normative References for GSS-API implementors  . . . . 31
142   12.3.       Informative References . . . . . . . . . . . . . . . . 32
143               Authors' Addresses . . . . . . . . . . . . . . . . . . 34
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167Menon-Sen, et al.       Expires February 1, 2010                [Page 3]
168
169Internet-Draft                    SCRAM                        July 2009
170
171
1721.  Conventions Used in This Document
173
174   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
175   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
176   document are to be interpreted as described in [RFC2119].
177
178   Formal syntax is defined by [RFC5234] including the core rules
179   defined in Appendix B of [RFC5234].
180
181   Example lines prefaced by "C:" are sent by the client and ones
182   prefaced by "S:" by the server.  If a single "C:" or "S:" label
183   applies to multiple lines, then the line breaks between those lines
184   are for editorial clarity only, and are not part of the actual
185   protocol exchange.
186
1871.1.  Terminology
188
189   This document uses several terms defined in [RFC4949] ("Internet
190   Security Glossary") including the following: authentication,
191   authentication exchange, authentication information, brute force,
192   challenge-response, cryptographic hash function, dictionary attack,
193   eavesdropping, hash result, keyed hash, man-in-the-middle, nonce,
194   one-way encryption function, password, replay attack and salt.
195   Readers not familiar with these terms should use that glossary as a
196   reference.
197
198   Some clarifications and additional definitions follow:
199
200   o  Authentication information: Information used to verify an identity
201      claimed by a SCRAM client.  The authentication information for a
202      SCRAM identity consists of salt, iteration count, the "StoredKey"
203      and "ServerKey" (as defined in the algorithm overview) for each
204      supported cryptographic hash function.
205
206   o  Authentication database: The database used to look up the
207      authentication information associated with a particular identity.
208      For application protocols, LDAPv3 (see [RFC4510]) is frequently
209      used as the authentication database.  For network-level protocols
210      such as PPP or 802.11x, the use of RADIUS is more common.
211
212   o  Base64: An encoding mechanism defined in [RFC4648] which converts
213      an octet string input to a textual output string which can be
214      easily displayed to a human.  The use of base64 in SCRAM is
215      restricted to the canonical form with no whitespace.
216
217   o  Octet: An 8-bit byte.
218
219   o  Octet string: A sequence of 8-bit bytes.
220
221
222
223Menon-Sen, et al.       Expires February 1, 2010                [Page 4]
224
225Internet-Draft                    SCRAM                        July 2009
226
227
228   o  Salt: A random octet string that is combined with a password
229      before applying a one-way encryption function.  This value is used
230      to protect passwords that are stored in an authentication
231      database.
232
2331.2.  Notation
234
235   The pseudocode description of the algorithm uses the following
236   notations:
237
238   o  ":=": The variable on the left hand side represents the octet
239      string resulting from the expression on the right hand side.
240
241   o  "+": Octet string concatenation.
242
243   o  "[ ]": A portion of an expression enclosed in "[" and "]" may not
244      be included in the result under some circumstances.  See the
245      associated text for a description of those circumstances.
246
247   o  HMAC(key, str): Apply the HMAC keyed hash algorithm (defined in
248      [RFC2104]) using the octet string represented by "key" as the key
249      and the octet string "str" as the input string.  The size of the
250      result is the hash result size for the hash function in use.  For
251      example, it is 20 octets for SHA-1 (see [RFC3174]).
252
253   o  H(str): Apply the cryptographic hash function to the octet string
254      "str", producing an octet string as a result.  The size of the
255      result depends on the hash result size for the hash function in
256      use.
257
258   o  XOR: Apply the exclusive-or operation to combine the octet string
259      on the left of this operator with the octet string on the right of
260      this operator.  The length of the output and each of the two
261      inputs will be the same for this use.
262
263   o  Hi(str, salt):
264
265
266
267      U0   := HMAC(str, salt + INT(1))
268      U1   := HMAC(str, U0)
269      U2   := HMAC(str, U1)
270      ...
271      Ui-1 := HMAC(str, Ui-2)
272      Ui   := HMAC(str, Ui-1)
273
274      Hi := U0 XOR U1 XOR U2 XOR ... XOR Ui
275
276
277
278
279Menon-Sen, et al.       Expires February 1, 2010                [Page 5]
280
281Internet-Draft                    SCRAM                        July 2009
282
283
284      where "i" is the iteration count, "+" is the string concatenation
285      operator and INT(g) is a four-octet encoding of the integer g,
286      most significant octet first.
287
288   o  This is, essentially, PBKDF2 [RFC2898] with HMAC() as the PRF and
289      with dkLen == output length of HMAC() == output length of H().
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335Menon-Sen, et al.       Expires February 1, 2010                [Page 6]
336
337Internet-Draft                    SCRAM                        July 2009
338
339
3402.  Introduction
341
342   This specification describes a family of authentication mechanisms
343   called the Salted Challenge Response Authentication Mechanism (SCRAM)
344   which addresses the requirements necessary to deploy a challenge-
345   response mechanism more widely than past attempts.  When used in
346   combination with Transport Layer Security (TLS, see [RFC5246]) or an
347   equivalent security layer, a mechanism from this family could improve
348   the status-quo for application protocol authentication and provide a
349   suitable choice for a mandatory-to-implement mechanism for future
350   application protocol standards.
351
352   For simplicity, this family of mechanisms does not presently include
353   negotiation of a security layer [RFC4422].  It is intended to be used
354   with an external security layer such as that provided by TLS or SSH,
355   with optional channel binding [RFC5056] to the external security
356   layer.
357
358   SCRAM is specified herein as a pure Simple Authentication and
359   Security Layer (SASL) [RFC4422] mechanism, but it conforms to the new
360   bridge between SASL and the Generic Security Services Application
361   Programming Interface (GSS-API) called "GS2" [I-D.ietf-sasl-gs2].
362   This means that this document defines both, a SASL mechanism and a
363   GSS-API mechanism.
364
365   SCRAM provides the following protocol features:
366
367   o  The authentication information stored in the authentication
368      database is not sufficient by itself to impersonate the client.
369      The information is salted to prevent a pre-stored dictionary
370      attack if the database is stolen.
371
372   o  The server does not gain the ability to impersonate the client to
373      other servers (with an exception for server-authorized proxies).
374
375   o  The mechanism permits the use of a server-authorized proxy without
376      requiring that proxy to have super-user rights with the back-end
377      server.
378
379   o  Mutual authentication is supported, but only the client is named
380      (i.e., the server has no name).
381
382   A separate document defines a standard LDAPv3 [RFC4510] attribute
383   that enables storage of the SCRAM authentication information in LDAP.
384   See [I-D.melnikov-sasl-scram-ldap].
385
386   For an in-depth discussion of why other challenge response mechanisms
387   are not considered sufficient, see appendix A.  For more information
388
389
390
391Menon-Sen, et al.       Expires February 1, 2010                [Page 7]
392
393Internet-Draft                    SCRAM                        July 2009
394
395
396   about the motivations behind the design of this mechanism, see
397   appendix B.
398
399   Comments regarding this draft may be sent either to the
400   ietf-sasl@imc.org mailing list or to the authors.
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447Menon-Sen, et al.       Expires February 1, 2010                [Page 8]
448
449Internet-Draft                    SCRAM                        July 2009
450
451
4523.  SCRAM Algorithm Overview
453
454   Note that this section omits some details, such as client and server
455   nonces.  See Section 5 for more details.
456
457   To begin with, the SCRAM client is in possession of a username and
458   password.  It sends the username to the server, which retrieves the
459   corresponding authentication information, i.e. a salt, StoredKey,
460   ServerKey and the iteration count i.  (Note that a server
461   implementation may chose to use the same iteration count for all
462   accounts.)  The server sends the salt and the iteration count to the
463   client, which then computes the following values and sends a
464   ClientProof to the server:
465
466
467      SaltedPassword  := Hi(password, salt)
468      ClientKey       := HMAC(SaltedPassword, "Client Key")
469      StoredKey       := H(ClientKey)
470      AuthMessage     := client-first-message-bare + "," +
471                         server-first-message + "," +
472                         client-final-message-without-proof
473      ClientSignature := HMAC(StoredKey, AuthMessage)
474      ClientProof     := ClientKey XOR ClientSignature
475      ServerKey       := HMAC(SaltedPassword, "Server Key")
476      ServerSignature := HMAC(ServerKey, AuthMessage)
477
478
479   The server authenticates the client by computing the ClientSignature,
480   exclusive-ORing that with the ClientProof to recover the ClientKey
481   and verifying the correctness of the ClientKey by applying the hash
482   function and comparing the result to the StoredKey.  If the ClientKey
483   is correct, this proves that the client has access to the user's
484   password.
485
486   Similarly, the client authenticates the server by computing the
487   ServerSignature and comparing it to the value sent by the server.  If
488   the two are equal, it proves that the server had access to the user's
489   ServerKey.
490
491   The AuthMessage is computed by concatenating messages from the
492   authentication exchange.  The format of these messages is defined in
493   Section 7.
494
495
496
497
498
499
500
501
502
503Menon-Sen, et al.       Expires February 1, 2010                [Page 9]
504
505Internet-Draft                    SCRAM                        July 2009
506
507
5084.  SCRAM Mechanism Names
509
510   A SCRAM mechanism name is a string "SCRAM-" followed by the
511   uppercased name of the underlying hash function taken from the IANA
512   "Hash Function Textual Names" registry (see http://www.iana.org),
513   optionally followed by the suffix "-PLUS" (see below).  Note that
514   SASL mechanism names are limited to 20 characters, which means that
515   only hash function names with lengths shorter or equal to 9
516   characters (20-length("SCRAM-")-length("-PLUS") can be used.  For
517   cases when the underlying hash function name is longer than 9
518   characters, an alternative 9 character (or shorter) name can be used
519   to construct the corresponding SCRAM mechanism name, as long as this
520   alternative name doesn't conflict with any other hash function name
521   from the IANA "Hash Function Textual Names" registry.
522
523   For interoperability, all SCRAM clients and servers MUST implement
524   the SCRAM-SHA-1 authentication mechanism, i.e. an authentication
525   mechanism from the SCRAM family that uses the SHA-1 hash function as
526   defined in [RFC3174].
527
528   The "-PLUS" suffix is used only when the server supports channel
529   binding to the external channel.  If the server supports channel
530   binding, it will advertise both the "bare" and "plus" versions of
531   whatever mechanisms it supports (e.g., if the server supports only
532   SCRAM with SHA-1 then it will advertise support for both SCRAM-SHA-1
533   and SCRAM-SHA-1-PLUS); if the server does not support channel
534   binding, then it will advertise only the "bare" version of the
535   mechanism (e.g., only SCRAM-SHA-1).  The "-PLUS" exists to allow
536   negotiation of the use of channel binding.  See Section 6.
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559Menon-Sen, et al.       Expires February 1, 2010               [Page 10]
560
561Internet-Draft                    SCRAM                        July 2009
562
563
5645.  SCRAM Authentication Exchange
565
566   SCRAM is a SASL mechanism whose client response and server challenge
567   messages are text-based messages containing one or more attribute-
568   value pairs separated by commas.  Each attribute has a one-letter
569   name.  The messages and their attributes are described in
570   Section 5.1, and defined in Section 7.
571
572   This is a simple example of a SCRAM-SHA-1 authentication exchange
573   when the client doesn't support channel bindings:
574
575
576      C: n,,n=Chris Newman,r=ClientNonce
577      S: r=ClientNonceServerNonce,s=PxR/wv+epq,i=128
578      C: c=biwsCg==,r=ClientNonceServerNonce,p=WxPv/siO5l+qxN4
579      S: v=WxPv/siO5l+qxN4
580
581
582   [[anchor5: Note that the all hashes above are fake and will be fixed
583   during AUTH48.]]
584
585   With channel-binding data sent by the client this might look like
586   this (see [tls-server-end-point] for the definition of tls-server-
587   end-point TLS channel binding):
588
589
590      C: p=tls-server-end-point,,n=Chris Newman,r=ClientNonce
591      S: r=ClientNonceServerNonce,s=PxR/wv+epq,i=128
592      C: c=cD10bHMtc2VydmVyLWVuZC1wb2ludCwsy1hFtXOnZ+ySrQM6srFp
593         l/77uqvtxrg7nBY1BetEr/g=,r=ClientNonceServerNonce,p=Wx
594         Pv/siO5l+qxN4
595      S: v=WxPv/siO5l+qxN4
596
597
598   [[anchor6: Note that all hashes above are fake and will be fixed
599   during AUTH48.]]
600
601   First, the client sends a message containing:
602
603   o  a GS2 header consisting of a flag indicating whether channel
604      binding is supported-but-not-used, not supported, or used, and an
605      optional SASL authorization identity;
606
607   o  SCRAM username and a random, unique nonce attributes.
608
609   Note that the client's first message will always start with "n", "y"
610   or "p", otherwise the message is invalid and authentication MUST
611   fail.  This is important, as it allows for GS2 extensibility (e.g.,
612
613
614
615Menon-Sen, et al.       Expires February 1, 2010               [Page 11]
616
617Internet-Draft                    SCRAM                        July 2009
618
619
620   to add support for security layers).
621
622   In response, the server sends the user's iteration count i, the
623   user's salt, and appends its own nonce to the client-specified one.
624   The client then responds with the same nonce and a ClientProof
625   computed using the selected hash function as explained earlier.  The
626   server verifies the nonce and the proof, verifies that the
627   authorization identity (if supplied by the client in the first
628   message) is authorized to act as the authentication identity, and,
629   finally, it responds with a ServerSignature, concluding the
630   authentication exchange.  The client then authenticates the server by
631   computing the ServerSignature and comparing it to the value sent by
632   the server.  If the two are different, the client MUST consider the
633   authentication exchange to be unsuccessful and it might have to drop
634   the connection.
635
6365.1.  SCRAM Attributes
637
638   This section describes the permissible attributes, their use, and the
639   format of their values.  All attribute names are single US-ASCII
640   letters and are case-sensitive.
641
642   Note that the order of attributes in client or server messages is
643   fixed, with the exception of extension attributes (described by the
644   "extensions" ABNF production), which can appear in any order in the
645   designated positions.  See the ABNF section for authoritative
646   reference.
647
648   o  a: This is an optional attribute, and is part of the GS2
649      [I-D.ietf-sasl-gs2] bridge between the GSS-API and SASL.  This
650      attribute specifies an authorization identity.  A client may
651      include it in its first message to the server if it wants to
652      authenticate as one user, but subsequently act as a different
653      user.  This is typically used by an administrator to perform some
654      management task on behalf of another user, or by a proxy in some
655      situations.
656
657         Upon the receipt of this value the server verifies its
658         correctness according to the used SASL protocol profile.
659         Failed verification results in failed authentication exchange.
660
661         If this attribute is omitted (as it normally would be), the
662         authorization identity is assumed to be derived from the
663         username specified with the (required) "n" attribute.
664
665         The server always authenticates the user specified by the "n"
666         attribute.  If the "a" attribute specifies a different user,
667         the server associates that identity with the connection after
668
669
670
671Menon-Sen, et al.       Expires February 1, 2010               [Page 12]
672
673Internet-Draft                    SCRAM                        July 2009
674
675
676         successful authentication and authorization checks.
677
678         The syntax of this field is the same as that of the "n" field
679         with respect to quoting of '=' and ','.
680
681   o  n: This attribute specifies the name of the user whose password is
682      used for authentication (a.k.a. "authentication identity"
683      [RFC4422]).  A client MUST include it in its first message to the
684      server.  If the "a" attribute is not specified (which would
685      normally be the case), this username is also the identity which
686      will be associated with the connection subsequent to
687      authentication and authorization.
688
689         Before sending the username to the server, the client MUST
690         prepare the username using the "SASLPrep" profile [RFC4013] of
691         the "stringprep" algorithm [RFC3454].  If the preparation of
692         the username fails or results in an empty string, the client
693         SHOULD abort the authentication exchange (*).
694
695         (*) An interactive client can request a repeated entry of the
696         username value.
697
698         Upon receipt of the username by the server, the server SHOULD
699         prepare it using the "SASLPrep" profile [RFC4013] of the
700         "stringprep" algorithm [RFC3454].  If the preparation of the
701         username fails or results in an empty string, the server SHOULD
702         abort the authentication exchange.
703
704         The characters ',' or '=' in usernames are sent as '=2C' and
705         '=3D' respectively.  If the server receives a username which
706         contains '=' not followed by either '2C' or '3D', then the
707         server MUST fail the authentication.
708
709   o  m: This attribute is reserved for future extensibility.  In this
710      version of SCRAM, its presence in a client or a server message
711      MUST cause authentication failure when the attribute is parsed by
712      the other end.
713
714   o  r: This attribute specifies a sequence of random printable
715      characters excluding ',' which forms the nonce used as input to
716      the hash function.  No quoting is applied to this string.  As
717      described earlier, the client supplies an initial value in its
718      first message, and the server augments that value with its own
719      nonce in its first response.  It is important that this value be
720      different for each authentication.  The client MUST verify that
721      the initial part of the nonce used in subsequent messages is the
722      same as the nonce it initially specified.  The server MUST verify
723      that the nonce sent by the client in the second message is the
724
725
726
727Menon-Sen, et al.       Expires February 1, 2010               [Page 13]
728
729Internet-Draft                    SCRAM                        July 2009
730
731
732      same as the one sent by the server in its first message.
733
734   o  c: This REQUIRED attribute specifies base64-encoded of a header
735      and the channel-binding data.  It is sent by the client in its
736      second authentication message.  The header consist of:
737
738      *  the GS2 header from the client's first message (recall: a
739         channel binding flag and an optional authzid).  This header is
740         going to include channel binding type prefix (see [RFC5056]),
741         if and only if the client is using channel binding;
742
743      *  followed by the external channel's channel binding data, if and
744         only if the client is using channel binding.
745
746   o  s: This attribute specifies the base64-encoded salt used by the
747      server for this user.  It is sent by the server in its first
748      message to the client.
749
750   o  i: This attribute specifies an iteration count for the selected
751      hash function and user, and MUST be sent by the server along with
752      the user's salt.
753
754         For SCRAM-SHA-1/SCRAM-SHA-1-PLUS SASL mechanism servers SHOULD
755         announce a hash iteration-count of at least 4096.  Note that a
756         client implementation MAY cache SaltedPassword/ClientKey for
757         later reauthentication to the same service, as it is likely
758         that the server is going to advertise the same salt value upon
759         reauthentication.  This might be useful for mobile clients
760         where CPU usage is a concern.
761
762   o  p: This attribute specifies a base64-encoded ClientProof.  The
763      client computes this value as described in the overview and sends
764      it to the server.
765
766   o  v: This attribute specifies a base64-encoded ServerSignature.  It
767      is sent by the server in its final message, and is used by the
768      client to verify that the server has access to the user's
769      authentication information.  This value is computed as explained
770      in the overview.
771
772
773
774
775
776
777
778
779
780
781
782
783Menon-Sen, et al.       Expires February 1, 2010               [Page 14]
784
785Internet-Draft                    SCRAM                        July 2009
786
787
7886.  Channel Binding
789
790   SCRAM supports channel binding to external secure channels, such as
791   TLS.  Clients and servers may or may not support channel binding,
792   therefore the use of channel binding is negotiable.  SCRAM does not
793   provide security layers, however, therefore it is imperative that
794   SCRAM provide integrity protection for the negotiation of channel
795   binding.
796
797   Use of channel binding is negotiated as follows:
798
799   o  Servers SHOULD advertise both non-PLUS (SCRAM-<hash-function>) and
800      the PLUS-variant (SCRAM-<hash-function>-PLUS) SASL mechanism
801      names.  If the server cannot support channel binding, it MAY
802      advertise only the non-PLUS variant.  If the server would never
803      succeed authentication of the non-PLUS variant due to policy
804      reasons, it MAY advertise only the PLUS-variant.
805
806   o  If the client negotiates mechanisms then the client MUST select
807      SCRAM-<hash-function>-PLUS if offered by the server and the client
808      wants to select SCRAM with the given hash function.  Otherwise
809      (the client does not negotiate mechanisms), if the client has no
810      prior knowledge about mechanisms supported by the server and
811      wasn't explicitly configured to use a particular variant of the
812      SCRAM mechanism, then it MUST select only SCRAM-<hash-function>
813      (not suffixed with "-PLUS").
814
815   o  If the client supports channel binding and the server appears to
816      support it (i.e., the client sees SCRAM-<hash-function>-PLUS), or
817      if the client wishes to use channel binding but the client does
818      not negotiate mechanisms, then the client MUST set the GS2 channel
819      binding flag to "p" in order to indicate the channel binding type
820      it is using and it MUST include the channel binding data for the
821      external channel in the computation of the "c=" attribute (see
822      Section 5.1).
823
824   o  If the client supports channel binding but the server does not
825      appear to (i.e., the client did not see SCRAM-<hash-function>-
826      PLUS) then the client MUST either fail authentication or it MUST
827      choose the non-PLUS mechanism and set the GS2 channel binding flag
828      to "y" and MUST NOT include channel binding data for the external
829      channel in the computation of the "c=" attribute (see
830      Section 5.1).
831
832   o  If the client does not support channel binding then the client
833      MUST set the GS2 channel binding flag to "n" and MUST NOT include
834      channel binding data for the external channel in the computation
835      of the "c=" attribute (see Section 5.1).
836
837
838
839Menon-Sen, et al.       Expires February 1, 2010               [Page 15]
840
841Internet-Draft                    SCRAM                        July 2009
842
843
844   o  Upon receipt of the client first message the server checks the GS2
845      channel binding flag (gs2-cb-flag).
846
847      *  If the flag is set to "y" and the server supports channel
848         binding the server MUST fail authentication.  This is because
849         if the client sets the GS2 channel binding flag set to "y" then
850         the client must have believed that the server did not support
851         channel binding -- if the server did in fact support channel
852         binding then this is an indication that there has been a
853         downgrade attack (e.g., an attacker changed the server's
854         mechanism list to exclude the -PLUS suffixed SCRAM mechanism
855         name(s)).
856
857      *  If the channel binding flag was "p" and the server does not
858         support the indicated channel binding type then the server MUST
859         fail authentication.
860
861   The server MUST always validate the client's "c=" field.  The server
862   does this by constructing the value of the "c=" attribute and then
863   checking that it matches the client's c= attribute value.
864
865   For more discussions of channel bindings, and the syntax of the
866   channel binding data for various security protocols, see [RFC5056].
867
8686.1.  Default Channel Binding
869
870   A default channel binding type agreement process for all SASL
871   application protocols that do not provide their own channel binding
872   type agreement is provided as follows.
873
874   'tls-unique' is the default channel binding type for any application
875   that doesn't specify one.
876
877   Servers MUST implement the "tls-unique" [tls-unique]
878   [I-D.altman-tls-channel-bindings] channel binding type, if they
879   implement any channel binding.  Clients SHOULD implement the "tls-
880   unique" [tls-unique] [I-D.altman-tls-channel-bindings] channel
881   binding type, if they implement any channel binding.  Clients and
882   servers SHOULD choose the highest- layer/innermost end-to-end TLS
883   channel as the channel to bind to.
884
885   Servers MUST choose the channel binding type indicated by the client,
886   or fail authentication if they don't support it.
887
888
889
890
891
892
893
894
895Menon-Sen, et al.       Expires February 1, 2010               [Page 16]
896
897Internet-Draft                    SCRAM                        July 2009
898
899
9007.  Formal Syntax
901
902   The following syntax specification uses the Augmented Backus-Naur
903   Form (ABNF) notation as specified in [RFC5234].  "UTF8-2", "UTF8-3"
904   and "UTF8-4" non-terminal are defined in [RFC3629].
905
906
907     ALPHA = <as defined in RFC 5234 appendix B.1>
908     DIGIT = <as defined in RFC 5234 appendix B.1>
909     UTF8-2 = <as defined in RFC 3629 (STD 63)>
910     UTF8-3 = <as defined in RFC 3629 (STD 63)>
911     UTF8-4 = <as defined in RFC 3629 (STD 63)>
912
913     attr-val        = ALPHA "=" value
914                       ;; Generic syntax of any attribute sent
915                       ;; by server or client
916
917     value           = 1*value-char
918
919     value-safe-char = %x01-2B / %x2D-3C / %x3E-7F /
920                       UTF8-2 / UTF8-3 / UTF8-4
921                       ;; UTF8-char except NUL, "=", and ",".
922
923     value-char      = value-safe-char / "="
924
925     base64-char     = ALPHA / DIGIT / "/" / "+"
926
927     base64-4        = 4base64-char
928
929     base64-3        = 3base64-char "="
930
931     base64-2        = 2base64-char "=="
932
933     base64          = *base64-4 [base64-3 / base64-2]
934
935     posit-number = %x31-39 *DIGIT
936                       ;; A positive number
937
938     saslname        = 1*(value-safe-char / "=2C" / "=3D")
939                       ;; Conforms to <value>
940
941     authzid         = "a=" saslname
942                       ;; Protocol specific.
943
944     cb-name         = 1*(ALPHA / DIGIT / "." / "-")
945                        ;; See RFC 5056 section 7.
946                        ;; E.g. "tls-server-end-point" or
947                        ;; "tls-unique"
948
949
950
951Menon-Sen, et al.       Expires February 1, 2010               [Page 17]
952
953Internet-Draft                    SCRAM                        July 2009
954
955
956     gs2-cbind-flag  = "p=" cb-name / "n" / "y"
957                       ;; "n" -> client doesn't support channel binding
958                       ;; "y" -> client does support channel binding
959                       ;;        but thinks the server does not.
960                       ;; "p" -> client requires channel binding.
961                       ;; The selected channel binding follows "p=".
962
963     gs2-header      = gs2-cbind-flag "," [ authzid ] ","
964                       ;; GS2 header for SCRAM
965                       ;; (the actual GS2 header includes an optional
966                       ;; flag to indicate that the GSS mechanism is not
967                       ;; "standard" but since SCRAM is "standard" we
968                       ;; don't include that flag).
969
970     username        = "n=" saslname
971                       ;; Usernames are prepared using SASLPrep.
972
973     reserved-mext  = "m=" 1*(value-char)
974                       ;; Reserved for signalling mandatory extensions.
975                       ;; The exact syntax will be defined in
976                       ;; the future.
977
978     channel-binding = "c=" base64
979                       ;; base64 encoding of cbind-input
980
981     proof           = "p=" base64
982
983     nonce           = "r=" c-nonce [s-nonce]
984                       ;; Second part provided by server.
985
986     c-nonce         = value
987
988     s-nonce         = value
989
990     salt            = "s=" base64
991
992     verifier        = "v=" base64
993                       ;; base-64 encoded ServerSignature.
994
995     iteration-count = "i=" posit-number
996                       ;; A positive number
997
998     client-first-message-bare =
999                       [reserved-mext ","]
1000                       username "," nonce ["," extensions]
1001
1002     client-first-message =
1003                       gs2-header client-first-message-bare
1004
1005
1006
1007Menon-Sen, et al.       Expires February 1, 2010               [Page 18]
1008
1009Internet-Draft                    SCRAM                        July 2009
1010
1011
1012     server-first-message =
1013                       [reserved-mext ","] nonce "," salt ","
1014                       iteration-count ["," extensions]
1015
1016     client-final-message-without-proof =
1017                       channel-binding "," nonce [","
1018                       extensions]
1019
1020     client-final-message =
1021                       client-final-message-without-proof "," proof
1022
1023     gss-server-error = "e=" value
1024     server-final-message = gss-server-error /
1025                       verifier ["," extensions]
1026                       ;; The error message is only for the GSS-API
1027                       ;; form of SCRAM, and it is OPTIONAL to
1028                       ;; implement it.
1029
1030     extensions = attr-val *("," attr-val)
1031                       ;; All extensions are optional,
1032                       ;; i.e. unrecognized attributes
1033                       ;; not defined in this document
1034                       ;; MUST be ignored.
1035
1036     cbind-data    = 1*OCTET
1037
1038     cbind-input   = gs2-header [ cbind-data ]
1039                       ;; cbind-data MUST be present for
1040                       ;; gs2-cbind-flag of "p" and MUST be absent
1041                       ;; for "y" or "n".
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063Menon-Sen, et al.       Expires February 1, 2010               [Page 19]
1064
1065Internet-Draft                    SCRAM                        July 2009
1066
1067
10688.  SCRAM as a GSS-API Mechanism
1069
1070   This section and its sub-sections and all normative references of it
1071   not referenced elsewhere in this document are INFORMATIONAL for SASL
1072   implementors, but they are NORMATIVE for GSS-API implementors.
1073
1074   SCRAM is actually also GSS-API mechanism.  The messages are the same,
1075   but a) the GS2 header on the client's first message and channel
1076   binding data is excluded when SCRAM is used as a GSS-API mechanism,
1077   and b) the RFC2743 section 3.1 initial context token header is
1078   prefixed to the client's first authentication message (context
1079   token).
1080
1081   The GSS-API mechanism OID for SCRAM is <TBD> (see Section 10).
1082
10838.1.  GSS-API Principal Name Types for SCRAM
1084
1085   SCRAM does not name acceptors.  Therefore only GSS_C_NO_NAME and
1086   names of type GSS_C_NT_ANONYMOUS shall be allowed as the target name
1087   input of GSS_Init_sec_context() when using a SCRAM mechanism.
1088
1089   SCRAM supports only a single name type for initiators:
1090   GSS_C_NT_USER_NAME.  GSS_C_NT_USER_NAME is the default name type for
1091   SCRAM.
1092
1093   There is no name canonicalization procedure for SCRAM beyond applying
1094   SASLprep as described in Section 5.1.
1095
1096   The query, display and exported name syntax for SCRAM principal names
1097   is the same: there is no syntax -- SCRAM principal names are free-
1098   form.  (The exported name token does, of course, conform to [RFC2743]
1099   section 3.2, but the "NAME" part of the token is just a SCRAM user
1100   name.)
1101
11028.2.  GSS-API Per-Message Tokens for SCRAM
1103
1104   The per-message tokens for SCRAM as a GSS-API mechanism SHALL be the
1105   same as those for the Kerberos V GSS-API mechanism [RFC4121], using
1106   the Kerberos V "aes128-cts-hmac-sha1-96" enctype [RFC3962].
1107
1108   The 128-bit session key SHALL be derived by using the least
1109   significant (right-most) 128 bits of HMAC(StoredKey, "GSS-API session
1110   key" || ClientKey || AuthMessage).
1111
1112   SCRAM does support PROT_READY, and is PROT_READY on the initiator
1113   side first upon receipt of the server's reply to the initial security
1114   context token.
1115
1116
1117
1118
1119Menon-Sen, et al.       Expires February 1, 2010               [Page 20]
1120
1121Internet-Draft                    SCRAM                        July 2009
1122
1123
11248.3.  GSS_Pseudo_random() for SCRAM
1125
1126   The GSS_Pseudo_random() [RFC4401] for SCRAM SHALL be the same as for
1127   the Kerberos V GSS-API mechanism [RFC4402].  There is no acceptor-
1128   asserted sub-session key for SCRAM, thus GSS_C_PRF_KEY_FULL and
1129   GSS_C_PRF_KEY_PARTIAL are equivalent for SCRAM's GSS_Pseudo_random().
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175Menon-Sen, et al.       Expires February 1, 2010               [Page 21]
1176
1177Internet-Draft                    SCRAM                        July 2009
1178
1179
11809.  Security Considerations
1181
1182   If the authentication exchange is performed without a strong security
1183   layer, then a passive eavesdropper can gain sufficient information to
1184   mount an offline dictionary or brute-force attack which can be used
1185   to recover the user's password.  The amount of time necessary for
1186   this attack depends on the cryptographic hash function selected, the
1187   strength of the password and the iteration count supplied by the
1188   server.  An external security layer with strong encryption will
1189   prevent this attack.
1190
1191   If the external security layer used to protect the SCRAM exchange
1192   uses an anonymous key exchange, then the SCRAM channel binding
1193   mechanism can be used to detect a man-in-the-middle attack on the
1194   security layer and cause the authentication to fail as a result.
1195   However, the man-in-the-middle attacker will have gained sufficient
1196   information to mount an offline dictionary or brute-force attack.
1197   For this reason, SCRAM includes the ability to increase the iteration
1198   count over time.
1199
1200   If the authentication information is stolen from the authentication
1201   database, then an offline dictionary or brute-force attack can be
1202   used to recover the user's password.  The use of salt mitigates this
1203   attack somewhat by requiring a separate attack on each password.
1204   Authentication mechanisms which protect against this attack are
1205   available (e.g., the EKE class of mechanisms).  RFC 2945 [RFC2945] is
1206   an example of such technology.  There are IPR disclosures at
1207   http://datatracker.ietf.org/ipr/ that mention RFC 2945.
1208
1209   If an attacker obtains the authentication information from the
1210   authentication repository and either eavesdrops on one authentication
1211   exchange or impersonates a server, the attacker gains the ability to
1212   impersonate that user to all servers providing SCRAM access using the
1213   same hash function, password, iteration count and salt.  For this
1214   reason, it is important to use randomly-generated salt values.
1215
1216   SCRAM does not negotiate a hash function to use.  Hash function
1217   negotiation is left to the SASL mechanism negotiation.  It is
1218   important that clients be able to sort a locally available list of
1219   mechanisms by preference so that the client may pick the most
1220   preferred of a server's advertised mechanism list.  This preference
1221   order is not specified here as it is a local matter.  The preference
1222   order should include objective and subjective notions of mechanism
1223   cryptographic strength (e.g., SCRAM with a successor to SHA-1 may be
1224   preferred over SCRAM with SHA-1).
1225
1226   Note that to protect the SASL mechanism negotiation applications
1227   normally must list the server mechs twice: once before and once after
1228
1229
1230
1231Menon-Sen, et al.       Expires February 1, 2010               [Page 22]
1232
1233Internet-Draft                    SCRAM                        July 2009
1234
1235
1236   authentication, the latter using security layers.  Since SCRAM does
1237   not provide security layers the only ways to protect the mechanism
1238   negotiation are: a) use channel binding to an external channel, or b)
1239   use an external channel that authenticates a user-provided server
1240   name.
1241
1242   SCRAM does not protect against downgrade attacks of channel binding
1243   types.  The complexities of negotiation a channel binding type, and
1244   handling down-grade attacks in that negotiation, was intentionally
1245   left out of scope for this document.
1246
1247   A hostile server can perform a computational denial-of-service attack
1248   on clients by sending a big iteration count value.
1249
1250   See [RFC4086] for more information about generating randomness.
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287Menon-Sen, et al.       Expires February 1, 2010               [Page 23]
1288
1289Internet-Draft                    SCRAM                        July 2009
1290
1291
129210.  IANA Considerations
1293
1294   IANA is requested to add the following family of SASL mechanisms to
1295   the SASL Mechanism registry established by [RFC4422]:
1296
1297
1298   To: iana@iana.org
1299   Subject: Registration of a new SASL family SCRAM
1300
1301   SASL mechanism name (or prefix for the family): SCRAM-*
1302   Security considerations: Section 7 of [RFCXXXX]
1303   Published specification (optional, recommended): [RFCXXXX]
1304   Person & email address to contact for further information:
1305    IETF SASL WG <ietf-sasl@imc.org>
1306   Intended usage: COMMON
1307   Owner/Change controller: IESG <iesg@ietf.org>
1308   Note: Members of this family must be explicitly registered
1309   using the "IETF Consensus" registration procedure.
1310   Reviews must be requested on the SASL WG mailing list.
1311
1312
1313   "IETF Consensus" registration procedure MUST be used for registering
1314   new mechanisms in this family.  The SASL mailing list
1315   <ietf-sasl@imc.org> (or a successor designated by the responsible
1316   Security AD) MUST be used for soliciting reviews on such
1317   registrations.
1318
1319   Note to future SCRAM- mechanism designers: each new SCRAM- SASL
1320   mechanism MUST be explicitly registered with IANA and MUST comply
1321   with SCRAM- mechanism naming convention defined in Section 4 of this
1322   document.
1323
1324   IANA is requested to add the following entries to the SASL Mechanism
1325   registry established by [RFC4422]:
1326
1327
1328   To: iana@iana.org
1329   Subject: Registration of a new SASL mechanism SCRAM-SHA-1
1330
1331   SASL mechanism name (or prefix for the family): SCRAM-SHA-1
1332   Security considerations: Section 7 of [RFCXXXX]
1333   Published specification (optional, recommended): [RFCXXXX]
1334   Person & email address to contact for further information:
1335    IETF SASL WG <ietf-sasl@imc.org>
1336   Intended usage: COMMON
1337   Owner/Change controller: IESG <iesg@ietf.org>
1338   Note:
1339
1340
1341
1342
1343Menon-Sen, et al.       Expires February 1, 2010               [Page 24]
1344
1345Internet-Draft                    SCRAM                        July 2009
1346
1347
1348   To: iana@iana.org
1349   Subject: Registration of a new SASL mechanism SCRAM-SHA-1-PLUS
1350
1351   SASL mechanism name (or prefix for the family): SCRAM-SHA-1-PLUS
1352   Security considerations: Section 7 of [RFCXXXX]
1353   Published specification (optional, recommended): [RFCXXXX]
1354   Person & email address to contact for further information:
1355    IETF SASL WG <ietf-sasl@imc.org>
1356   Intended usage: COMMON
1357   Owner/Change controller: IESG <iesg@ietf.org>
1358   Note:
1359
1360
1361   This document also requests IANA to assign a GSS-API mechanism OID
1362   for SCRAM.
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399Menon-Sen, et al.       Expires February 1, 2010               [Page 25]
1400
1401Internet-Draft                    SCRAM                        July 2009
1402
1403
140411.  Acknowledgements
1405
1406   This document benefited from discussions on the SASL WG mailing list.
1407   The authors would like to specially thank Dave Cridland, Simon
1408   Josefsson and Jeffrey Hutzelman for their contributions to this
1409   document.
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455Menon-Sen, et al.       Expires February 1, 2010               [Page 26]
1456
1457Internet-Draft                    SCRAM                        July 2009
1458
1459
1460Appendix A.  Other Authentication Mechanisms
1461
1462   The DIGEST-MD5 [I-D.ietf-sasl-digest-to-historic] mechanism has
1463   proved to be too complex to implement and test, and thus has poor
1464   interoperability.  The security layer is often not implemented, and
1465   almost never used; everyone uses TLS instead.  For a more complete
1466   list of problems with DIGEST-MD5 which lead to the creation of SCRAM
1467   see [I-D.ietf-sasl-digest-to-historic].
1468
1469   The CRAM-MD5 SASL mechanism, while widely deployed has also some
1470   problems, in particular it is missing some modern SASL features such
1471   as support for internationalized usernames and passwords, support for
1472   passing of authorization identity, support for channel bindings.  It
1473   also doesn't support server authentication.  For a more complete list
1474   of problems with CRAM-MD5 see [I-D.ietf-sasl-crammd5-to-historic].
1475
1476   The PLAIN [RFC4616] SASL mechanism allows a malicious server or
1477   eavesdropper to impersonate the authenticating user to any other
1478   server for which the user has the same password.  It also sends the
1479   password in the clear over the network, unless TLS is used.  Server
1480   authentication is not supported.
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511Menon-Sen, et al.       Expires February 1, 2010               [Page 27]
1512
1513Internet-Draft                    SCRAM                        July 2009
1514
1515
1516Appendix B.  Design Motivations
1517
1518   The following design goals shaped this document.  Note that some of
1519   the goals have changed since the initial version of the document.
1520
1521   o  The SASL mechanism has all modern SASL features: support for
1522      internationalized usernames and passwords, support for passing of
1523      authorization identity, support for channel bindings.
1524
1525   o  The protocol supports mutual authentication.
1526
1527   o  The authentication information stored in the authentication
1528      database is not sufficient by itself to impersonate the client.
1529
1530   o  The server does not gain the ability to impersonate the client to
1531      other servers (with an exception for server-authorized proxies),
1532      unless such other servers allow SCRAM authentication and use the
1533      same salt and iteration count for the user.
1534
1535   o  The mechanism is extensible, but [hopefully] not overengineered in
1536      this respect.
1537
1538   o  Easier to implement than DIGEST-MD5 in both clients and servers.
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567Menon-Sen, et al.       Expires February 1, 2010               [Page 28]
1568
1569Internet-Draft                    SCRAM                        July 2009
1570
1571
1572Appendix C.  Internet-Draft Change History
1573
1574   (RFC Editor: Please delete everything after this point)
1575
1576   Changes since -10
1577
1578   o  Converted the source for this I-D to XML.
1579
1580   o  Added text to make SCRAM compliant with the new GS2 design.
1581
1582   o  Added text on channel binding negotiation.
1583
1584   o  Added text on channel binding, including a reference to RFC5056.
1585
1586   o  Added text on SCRAM as a GSS-API mechanism.  This noted as not
1587      relevant to SASL-only implementors -- the normative references for
1588      SCRAM as a GSS-API mechanism are segregated as well.
1589
1590   Changes since -07
1591
1592   o  Updated References.
1593
1594   o  Clarified purpose of the m= attribute.
1595
1596   o  Fixed a problem with authentication/authorization identity's ABNF
1597      not allowing for some characters.
1598
1599   o  Updated ABNF for nonce to show client-generated and server-
1600      generated parts.
1601
1602   o  Only register SCRAM-SHA-1 with IANA and require explicit
1603      registrations of all other SCRAM- mechanisms.
1604
1605   Changes since -06
1606
1607   o  Removed hash negotiation from SCRAM and turned it into a family of
1608      SASL mechanisms.
1609
1610   o  Start using "Hash Function Textual Names" IANA registry for SCRAM
1611      mechanism naming.
1612
1613   o  Fixed definition of Hi(str, salt) to be consistent with [RFC2898].
1614
1615   o  Clarified extensibility of SCRAM: added m= attribute (for future
1616      mandatory extensions) and specified that all unrecognized
1617      attributes must be ignored.
1618
1619   Changes since -05
1620
1621
1622
1623Menon-Sen, et al.       Expires February 1, 2010               [Page 29]
1624
1625Internet-Draft                    SCRAM                        July 2009
1626
1627
1628   o  Changed the mandatory to implement hash algorithm to SHA-1 (as per
1629      WG consensus).
1630
1631   o  Added text about use of SASLPrep for username canonicalization/
1632      validation.
1633
1634   o  Clarified that authorization identity is canonicalized/verified
1635      according to SASL protocol profile.
1636
1637   o  Clarified that iteration count is per-user.
1638
1639   o  Clarified how clients select the authentication function.
1640
1641   o  Added IANA registration for the new mechanism.
1642
1643   o  Added missing normative references (UTF-8, SASLPrep).
1644
1645   o  Various editorial changes based on comments from Hallvard B
1646      Furuseth, Nico William and Simon Josefsson.
1647
1648   Changes since -04
1649
1650   o  Update Base64 and Security Glossary references.
1651
1652   o  Add Formal Syntax section.
1653
1654   o  Don't bother with "v=".
1655
1656   o  Make MD5 mandatory to implement.  Suggest i=128.
1657
1658   Changes since -03
1659
1660   o  Seven years have passed, in which it became clear that DIGEST-MD5
1661      suffered from unacceptably bad interoperability, so SCRAM-MD5 is
1662      now back from the dead.
1663
1664   o  Be hash agnostic, so MD5 can be replaced more easily.
1665
1666   o  General simplification.
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679Menon-Sen, et al.       Expires February 1, 2010               [Page 30]
1680
1681Internet-Draft                    SCRAM                        July 2009
1682
1683
168412.  References
1685
168612.1.  Normative References
1687
1688   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
1689              Hashing for Message Authentication", RFC 2104,
1690              February 1997.
1691
1692   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1693              Requirement Levels", BCP 14, RFC 2119, March 1997.
1694
1695   [RFC3174]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
1696              (SHA1)", RFC 3174, September 2001.
1697
1698   [RFC3454]  Hoffman, P. and M. Blanchet, "Preparation of
1699              Internationalized Strings ("stringprep")", RFC 3454,
1700              December 2002.
1701
1702   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
1703              10646", STD 63, RFC 3629, November 2003.
1704
1705   [RFC4013]  Zeilenga, K., "SASLprep: Stringprep Profile for User Names
1706              and Passwords", RFC 4013, February 2005.
1707
1708   [RFC4422]  Melnikov, A. and K. Zeilenga, "Simple Authentication and
1709              Security Layer (SASL)", RFC 4422, June 2006.
1710
1711   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
1712              Encodings", RFC 4648, October 2006.
1713
1714   [RFC5056]  Williams, N., "On the Use of Channel Bindings to Secure
1715              Channels", RFC 5056, November 2007.
1716
1717   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
1718              Specifications: ABNF", STD 68, RFC 5234, January 2008.
1719
172012.2.  Normative References for GSS-API implementors
1721
1722   [I-D.ietf-sasl-gs2]
1723              Josefsson, S. and N. Williams, "Using GSS-API Mechanisms
1724              in SASL: The GS2 Mechanism Family", draft-ietf-sasl-gs2-12
1725              (work in progress), April 2009.
1726
1727   [RFC2743]  Linn, J., "Generic Security Service Application Program
1728              Interface Version 2, Update 1", RFC 2743, January 2000.
1729
1730   [RFC3962]  Raeburn, K., "Advanced Encryption Standard (AES)
1731              Encryption for Kerberos 5", RFC 3962, February 2005.
1732
1733
1734
1735Menon-Sen, et al.       Expires February 1, 2010               [Page 31]
1736
1737Internet-Draft                    SCRAM                        July 2009
1738
1739
1740   [RFC4086]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
1741              Requirements for Security", BCP 106, RFC 4086, June 2005.
1742
1743   [RFC4121]  Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
1744              Version 5 Generic Security Service Application Program
1745              Interface (GSS-API) Mechanism: Version 2", RFC 4121,
1746              July 2005.
1747
1748   [RFC4401]  Williams, N., "A Pseudo-Random Function (PRF) API
1749              Extension for the Generic Security Service Application
1750              Program Interface (GSS-API)", RFC 4401, February 2006.
1751
1752   [RFC4402]  Williams, N., "A Pseudo-Random Function (PRF) for the
1753              Kerberos V Generic Security Service Application Program
1754              Interface (GSS-API) Mechanism", RFC 4402, February 2006.
1755
1756   [tls-unique]
1757              Zhu, L., "Registration of TLS unique channel binding
1758              (generic)", IANA http://www.iana.org/assignments/
1759              channel-binding-types/tls-unique, July 2008.
1760
176112.3.  Informative References
1762
1763   [I-D.altman-tls-channel-bindings]
1764              Altman, J., Williams, N., and L. Zhu, "Channel Bindings
1765              for TLS", draft-altman-tls-channel-bindings-05 (work in
1766              progress), June 2009.
1767
1768   [I-D.ietf-sasl-crammd5-to-historic]
1769              Zeilenga, K., "CRAM-MD5 to Historic",
1770              draft-ietf-sasl-crammd5-to-historic-00 (work in progress),
1771              November 2008.
1772
1773   [I-D.ietf-sasl-digest-to-historic]
1774              Melnikov, A., "Moving DIGEST-MD5 to Historic",
1775              draft-ietf-sasl-digest-to-historic-00 (work in progress),
1776              July 2008.
1777
1778   [I-D.melnikov-sasl-scram-ldap]
1779              Melnikov, A., "LDAP schema for storing SCRAM secrets",
1780              draft-melnikov-sasl-scram-ldap-02 (work in progress),
1781              July 2009.
1782
1783   [RFC2898]  Kaliski, B., "PKCS #5: Password-Based Cryptography
1784              Specification Version 2.0", RFC 2898, September 2000.
1785
1786   [RFC2945]  Wu, T., "The SRP Authentication and Key Exchange System",
1787              RFC 2945, September 2000.
1788
1789
1790
1791Menon-Sen, et al.       Expires February 1, 2010               [Page 32]
1792
1793Internet-Draft                    SCRAM                        July 2009
1794
1795
1796   [RFC4510]  Zeilenga, K., "Lightweight Directory Access Protocol
1797              (LDAP): Technical Specification Road Map", RFC 4510,
1798              June 2006.
1799
1800   [RFC4616]  Zeilenga, K., "The PLAIN Simple Authentication and
1801              Security Layer (SASL) Mechanism", RFC 4616, August 2006.
1802
1803   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
1804              RFC 4949, August 2007.
1805
1806   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
1807              (TLS) Protocol Version 1.2", RFC 5246, August 2008.
1808
1809   [tls-server-end-point]
1810              Zhu, L., "Registration of TLS server end-point channel
1811              bindings", IANA http://www.iana.org/assignments/
1812              channel-binding-types/tls-server-end-point, July 2008.
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847Menon-Sen, et al.       Expires February 1, 2010               [Page 33]
1848
1849Internet-Draft                    SCRAM                        July 2009
1850
1851
1852Authors' Addresses
1853
1854   Abhijit Menon-Sen
1855   Oryx Mail Systems GmbH
1856
1857   Email: ams@oryx.com
1858
1859
1860   Alexey Melnikov
1861   Isode Ltd
1862
1863   Email: Alexey.Melnikov@isode.com
1864
1865
1866   Chris Newman
1867   Sun Microsystems
1868   1050 Lakes Drive
1869   West Covina, CA  91790
1870   USA
1871
1872   Email: chris.newman@sun.com
1873
1874
1875   Nicolas Williams
1876   Sun Microsystems
1877   5300 Riata Trace Ct
1878   Austin, TX  78727
1879   USA
1880
1881   Email: Nicolas.Williams@sun.com
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903Menon-Sen, et al.       Expires February 1, 2010               [Page 34]
1904
1905
1906