1
2
3
4NETWORK WORKING GROUP                                       A. Menon-Sen
5Internet-Draft                                    Oryx Mail Systems GmbH
6Intended status: Standards Track                             A. Melnikov
7Expires: September 24, 2009                                    Isode Ltd
8                                                               C. Newman
9                                                             N. Williams
10                                                        Sun Microsystems
11                                                          March 23, 2009
12
13
14            Salted Challenge Response (SCRAM) SASL Mechanism
15                     draft-newman-auth-scram-11.txt
16
17Status of this Memo
18
19   This Internet-Draft is submitted to IETF in full conformance with the
20   provisions of BCP 78 and BCP 79.
21
22   Internet-Drafts are working documents of the Internet Engineering
23   Task Force (IETF), its areas, and its working groups.  Note that
24   other groups may also distribute working documents as Internet-
25   Drafts.
26
27   Internet-Drafts are draft documents valid for a maximum of six months
28   and may be updated, replaced, or obsoleted by other documents at any
29   time.  It is inappropriate to use Internet-Drafts as reference
30   material or to cite them other than as "work in progress."
31
32   The list of current Internet-Drafts can be accessed at
33   http://www.ietf.org/ietf/1id-abstracts.txt.
34
35   The list of Internet-Draft Shadow Directories can be accessed at
36   http://www.ietf.org/shadow.html.
37
38   This Internet-Draft will expire on September 24, 2009.
39
40Copyright Notice
41
42   Copyright (c) 2009 IETF Trust and the persons identified as the
43   document authors.  All rights reserved.
44
45   This document is subject to BCP 78 and the IETF Trust's Legal
46   Provisions Relating to IETF Documents in effect on the date of
47   publication of this document (http://trustee.ietf.org/license-info).
48   Please review these documents carefully, as they describe your rights
49   and restrictions with respect to this document.
50
51
52
53
54
55Menon-Sen, et al.      Expires September 24, 2009               [Page 1]
56
57Internet-Draft                    SCRAM                       March 2009
58
59
60Abstract
61
62   The secure authentication mechanism most widely deployed and used by
63   Internet application protocols is the transmission of clear-text
64   passwords over a channel protected by Transport Layer Security (TLS).
65   There are some significant security concerns with that mechanism,
66   which could be addressed by the use of a challenge response
67   authentication mechanism protected by TLS.  Unfortunately, the
68   challenge response mechanisms presently on the standards track all
69   fail to meet requirements necessary for widespread deployment, and
70   have had success only in limited use.
71
72   This specification describes a family of authentication mechanisms
73   called the Salted Challenge Response Authentication Mechanism
74   (SCRAM), which addresses the security concerns and meets the
75   deployability requirements.  When used in combination with TLS or an
76   equivalent security layer, a mechanism from this family could improve
77   the status-quo for application protocol authentication and provide a
78   suitable choice for a mandatory-to-implement mechanism for future
79   application protocol standards.
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111Menon-Sen, et al.      Expires September 24, 2009               [Page 2]
112
113Internet-Draft                    SCRAM                       March 2009
114
115
116Table of Contents
117
118   1.          Conventions Used in This Document  . . . . . . . . . .  4
119   1.1.        Terminology  . . . . . . . . . . . . . . . . . . . . .  4
120   1.2.        Notation . . . . . . . . . . . . . . . . . . . . . . .  5
121   2.          Introduction . . . . . . . . . . . . . . . . . . . . .  7
122   3.          SCRAM Algorithm Overview . . . . . . . . . . . . . . .  9
123   4.          SCRAM Mechanism Names  . . . . . . . . . . . . . . . . 10
124   5.          SCRAM Authentication Exchange  . . . . . . . . . . . . 11
125   5.1.        SCRAM Attributes . . . . . . . . . . . . . . . . . . . 12
126   6.          Channel Binding  . . . . . . . . . . . . . . . . . . . 15
127   6.1.        Channel Binding to TLS Channels  . . . . . . . . . . . 16
128   7.          Formal Syntax  . . . . . . . . . . . . . . . . . . . . 17
129   8.          SCRAM as a GSS-API Mechanism . . . . . . . . . . . . . 20
130   8.1.        GSS-API Principal Name Types for SCRAM . . . . . . . . 20
131   8.2.        GSS-API Per-Message Tokens for SCRAM . . . . . . . . . 20
132   8.3.        GSS_Pseudo_random() for SCRAM  . . . . . . . . . . . . 21
133   9.          Security Considerations  . . . . . . . . . . . . . . . 22
134   10.         IANA Considerations  . . . . . . . . . . . . . . . . . 24
135   11.         Acknowledgements . . . . . . . . . . . . . . . . . . . 25
136   Appendix A. Other Authentication Mechanisms  . . . . . . . . . . . 26
137   Appendix B. Design Motivations . . . . . . . . . . . . . . . . . . 27
138   Appendix C. SCRAM Examples and Internet-Draft Change History . . . 28
139   12.         References . . . . . . . . . . . . . . . . . . . . . . 31
140   12.1.       Normative References . . . . . . . . . . . . . . . . . 31
141   12.2.       Normative References for GSS-API implementors  . . . . 31
142   12.3.       Informative References . . . . . . . . . . . . . . . . 32
143               Authors' Addresses . . . . . . . . . . . . . . . . . . 34
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167Menon-Sen, et al.      Expires September 24, 2009               [Page 3]
168
169Internet-Draft                    SCRAM                       March 2009
170
171
1721.  Conventions Used in This Document
173
174   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
175   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
176   document are to be interpreted as described in [RFC2119].
177
178   Formal syntax is defined by [RFC5234] including the core rules
179   defined in Appendix B of [RFC5234].
180
181   Example lines prefaced by "C:" are sent by the client and ones
182   prefaced by "S:" by the server.  If a single "C:" or "S:" label
183   applies to multiple lines, then the line breaks between those lines
184   are for editorial clarity only, and are not part of the actual
185   protocol exchange.
186
1871.1.  Terminology
188
189   This document uses several terms defined in [RFC4949] ("Internet
190   Security Glossary") including the following: authentication,
191   authentication exchange, authentication information, brute force,
192   challenge-response, cryptographic hash function, dictionary attack,
193   eavesdropping, hash result, keyed hash, man-in-the-middle, nonce,
194   one-way encryption function, password, replay attack and salt.
195   Readers not familiar with these terms should use that glossary as a
196   reference.
197
198   Some clarifications and additional definitions follow:
199
200   o  Authentication information: Information used to verify an identity
201      claimed by a SCRAM client.  The authentication information for a
202      SCRAM identity consists of salt, iteration count, the "StoredKey"
203      and "ServerKey" (as defined in the algorithm overview) for each
204      supported cryptographic hash function.
205
206   o  Authentication database: The database used to look up the
207      authentication information associated with a particular identity.
208      For application protocols, LDAPv3 (see [RFC4510]) is frequently
209      used as the authentication database.  For network-level protocols
210      such as PPP or 802.11x, the use of RADIUS is more common.
211
212   o  Base64: An encoding mechanism defined in [RFC4648] which converts
213      an octet string input to a textual output string which can be
214      easily displayed to a human.  The use of base64 in SCRAM is
215      restricted to the canonical form with no whitespace.
216
217   o  Octet: An 8-bit byte.
218
219   o  Octet string: A sequence of 8-bit bytes.
220
221
222
223Menon-Sen, et al.      Expires September 24, 2009               [Page 4]
224
225Internet-Draft                    SCRAM                       March 2009
226
227
228   o  Salt: A random octet string that is combined with a password
229      before applying a one-way encryption function.  This value is used
230      to protect passwords that are stored in an authentication
231      database.
232
2331.2.  Notation
234
235   The pseudocode description of the algorithm uses the following
236   notations:
237
238   o  ":=": The variable on the left hand side represents the octet
239      string resulting from the expression on the right hand side.
240
241   o  "+": Octet string concatenation.
242
243   o  "[ ]": A portion of an expression enclosed in "[" and "]" may not
244      be included in the result under some circumstances.  See the
245      associated text for a description of those circumstances.
246
247   o  HMAC(key, str): Apply the HMAC keyed hash algorithm (defined in
248      [RFC2104]) using the octet string represented by "key" as the key
249      and the octet string "str" as the input string.  The size of the
250      result is the hash result size for the hash function in use.  For
251      example, it is 20 octets for SHA-1 (see [RFC3174]).
252
253   o  H(str): Apply the cryptographic hash function to the octet string
254      "str", producing an octet string as a result.  The size of the
255      result depends on the hash result size for the hash function in
256      use.
257
258   o  XOR: Apply the exclusive-or operation to combine the octet string
259      on the left of this operator with the octet string on the right of
260      this operator.  The length of the output and each of the two
261      inputs will be the same for this use.
262
263   o  Hi(str, salt):
264
265
266
267      U0   := HMAC(str, salt + INT(1))
268      U1   := HMAC(str, U0)
269      U2   := HMAC(str, U1)
270      ...
271      Ui-1 := HMAC(str, Ui-2)
272      Ui   := HMAC(str, Ui-1)
273
274      Hi := U0 XOR U1 XOR U2 XOR ... XOR Ui
275
276
277
278
279Menon-Sen, et al.      Expires September 24, 2009               [Page 5]
280
281Internet-Draft                    SCRAM                       March 2009
282
283
284      where "i" is the iteration count, "+" is the string concatenation
285      operator and INT(g) is a four-octet encoding of the integer g,
286      most significant octet first.
287
288   o  This is, essentially, PBKDF2 [RFC2898] with HMAC() as the PRF and
289      with dkLen == output length of HMAC() == output length of H().
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335Menon-Sen, et al.      Expires September 24, 2009               [Page 6]
336
337Internet-Draft                    SCRAM                       March 2009
338
339
3402.  Introduction
341
342   This specification describes a family of authentication mechanisms
343   called the Salted Challenge Response Authentication Mechanism (SCRAM)
344   which addresses the requirements necessary to deploy a challenge-
345   response mechanism more widely than past attempts.  When used in
346   combination with Transport Layer Security (TLS, see [RFC5246]) or an
347   equivalent security layer, a mechanism from this family could improve
348   the status-quo for application protocol authentication and provide a
349   suitable choice for a mandatory-to-implement mechanism for future
350   application protocol standards.
351
352   For simplicity, this family of mechanism does not presently include
353   negotiation of a security layer.  It is intended to be used with an
354   external security layer such as that provided by TLS or SSH, with
355   optional channel binding [RFC5056] to the external security layer.
356
357   SCRAM is specified herein as a pure Simple Authentication and
358   Security Layer (SASL) [RFC4422] mechanism, but it conforms to the new
359   bridge between SASL and the Generic Security Services Application
360   Programming Interface (GSS-API) called "GS2" [ref-needed].  This
361   means that SCRAM is actually both, a GSS-API and SASL mechanism.
362
363   SCRAM provides the following protocol features:
364
365   o  The authentication information stored in the authentication
366      database is not sufficient by itself to impersonate the client.
367      The information is salted to prevent a pre-stored dictionary
368      attack if the database is stolen.
369
370   o  The server does not gain the ability to impersonate the client to
371      other servers (with an exception for server-authorized proxies).
372
373   o  The mechanism permits the use of a server-authorized proxy without
374      requiring that proxy to have super-user rights with the back-end
375      server.
376
377   o  A standard attribute is defined to enable storage of the
378      authentication information in LDAPv3 (see [RFC4510]).
379
380   o  Mutual authentication is supported, but only the client is named
381      (i.e., the server has no name).
382
383   For an in-depth discussion of why other challenge response mechanisms
384   are not considered sufficient, see appendix A.  For more information
385   about the motivations behind the design of this mechanism, see
386   appendix B.
387
388
389
390
391Menon-Sen, et al.      Expires September 24, 2009               [Page 7]
392
393Internet-Draft                    SCRAM                       March 2009
394
395
396   Comments regarding this draft may be sent either to the
397   ietf-sasl@imc.org mailing list or to the authors.
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447Menon-Sen, et al.      Expires September 24, 2009               [Page 8]
448
449Internet-Draft                    SCRAM                       March 2009
450
451
4523.  SCRAM Algorithm Overview
453
454   Note that this section omits some details, such as client and server
455   nonces.  See Section 5 for more details.
456
457   To begin with, the client is in possession of a username and
458   password.  It sends the username to the server, which retrieves the
459   corresponding authentication information, i.e. a salt, StoredKey,
460   ServerKey and the iteration count i.  (Note that a server
461   implementation may chose to use the same iteration count for all
462   account.)  The server sends the salt and the iteration count to the
463   client, which then computes the following values and sends a
464   ClientProof to the server:
465
466
467      SaltedPassword  := Hi(password, salt)
468      ClientKey       := H(SaltedPassword)
469      StoredKey       := H(ClientKey)
470      AuthMessage     := client-first-message + "," +
471                         server-first-message + "," +
472                         client-final-message-without-proof
473      ClientSignature := HMAC(StoredKey, AuthMessage)
474      ClientProof     := ClientKey XOR ClientSignature
475      ServerKey       := HMAC(SaltedPassword, salt)
476      ServerSignature := HMAC(ServerKey, AuthMessage)
477
478
479   The server authenticates the client by computing the ClientSignature,
480   exclusive-ORing that with the ClientProof to recover the ClientKey
481   and verifying the correctness of the ClientKey by applying the hash
482   function and comparing the result to the StoredKey.  If the ClientKey
483   is correct, this proves that the client has access to the user's
484   password.
485
486   Similarly, the client authenticates the server by computing the
487   ServerSignature and comparing it to the value sent by the server.  If
488   the two are equal, it proves that the server had access to the user's
489   ServerKey.
490
491   The AuthMessage is computed by concatenating messages from the
492   authentication exchange.  The format of these messages is defined in
493   Section 7.
494
495
496
497
498
499
500
501
502
503Menon-Sen, et al.      Expires September 24, 2009               [Page 9]
504
505Internet-Draft                    SCRAM                       March 2009
506
507
5084.  SCRAM Mechanism Names
509
510   A SCRAM mechanism name is a string "SCRAM-HMAC-" followed by the
511   uppercased name of the underlying hashed function taken from the IANA
512   "Hash Function Textual Names" registry (see http://www.iana.org),
513   optionally followed by the suffix "-PLUS" (see below)..
514
515   For interoperability, all SCRAM clients and servers MUST implement
516   the SCRAM-HMAC-SHA-1 authentication mechanism, i.e. an authentication
517   mechanism from the SCRAM family that uses the SHA-1 hash function as
518   defined in [RFC3174].
519
520   The "-PLUS" suffix is used only when the server supports channel
521   binding to the external channel.  In this case the server will
522   advertise both, SCRAM-HMAC-SHA-1 and SCRAM-HMAC-SHA-1-PLUS, otherwise
523   the server will advertise only SCRAM-HMAC-SHA-1.  The "-PLUS" exists
524   to allow negotiation of the use of channel binding.  See Section 6.
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559Menon-Sen, et al.      Expires September 24, 2009              [Page 10]
560
561Internet-Draft                    SCRAM                       March 2009
562
563
5645.  SCRAM Authentication Exchange
565
566   SCRAM is a text protocol where the client and server exchange
567   messages containing one or more attribute-value pairs separated by
568   commas.  Each attribute has a one-letter name.  The messages and
569   their attributes are described in Section 5.1, and defined in
570   Section 7.
571
572   This is a simple example of a SCRAM-HMAC-SHA-1 authentication
573   exchange:
574
575
576      C: n,n=Chris Newman,r=ClientNonce
577      S: r=ClientNonceServerNonce,s=PxR/wv+epq,i=128
578      C: r=ClientNonceServerNonce,p=WxPv/siO5l+qxN4
579      S: v=WxPv/siO5l+qxN4
580
581
582   With channel-binding data sent by the client this might look like
583   this:
584
585
586      C: p,n=Chris Newman,r=ClientNonce
587      S: r=ClientNonceServerNonce,s=PxR/wv+epq,i=128
588      C: c=0123456789ABCDEF,r=ClientNonceServerNonce,p=WxPv/siO5l+qxN4
589      S: v=WxPv/siO5l+qxN4
590
591
592   <<Note that the channel-bind data above, as well as all hashes are
593   fake>>
594
595   First, the client sends a message containing:
596
597   o  a GS2 header consisting of a flag indicating whether channel
598      binding is supported-but-not-used, not supported, or used, and the
599      SASL authzid (optional);
600
601   o  SCRAM username and client nonce attributes.
602
603   Note that the client's first message will always start with "n", "y"
604   or "p", otherwise the message is invalid and authentication MUST
605   fail.  This is important, as it allows for GS2 extensibility (e.g.,
606   to add support for security layers).
607
608   In response, the server sends the user's iteration count i, the
609   user's salt, and appends its own nonce to the client-specified one.
610   The client then responds with the same nonce and a ClientProof
611   computed using the selected hash function as explained earlier.  In
612
613
614
615Menon-Sen, et al.      Expires September 24, 2009              [Page 11]
616
617Internet-Draft                    SCRAM                       March 2009
618
619
620   this step the client can also include an optional authorization
621   identity.  The server verifies the nonce and the proof, verifies that
622   the authorization identity (if supplied by the client in the second
623   message) is authorized to act as the authentication identity, and,
624   finally, it responds with a ServerSignature, concluding the
625   authentication exchange.  The client then authenticates the server by
626   computing the ServerSignature and comparing it to the value sent by
627   the server.  If the two are different, the client MUST consider the
628   authentication exchange to be unsuccessful and it might have to drop
629   the connection.
630
6315.1.  SCRAM Attributes
632
633   This section describes the permissible attributes, their use, and the
634   format of their values.  All attribute names are single US-ASCII
635   letters and are case-sensitive.
636
637   o  a: This is an optional attribute, and is part of the GS2 [ref-
638      needed] bridge between the GSS-API and SASL.  This attribute
639      specifies an authorization identity.  A client may include it in
640      its second message to the server if it wants to authenticate as
641      one user, but subsequently act as a different user.  This is
642      typically used by an administrator to perform some management task
643      on behalf of another user, or by a proxy in some situations.
644
645         Upon the receipt of this value the server verifies its
646         correctness according to the used SASL protocol profile.
647         Failed verification results in failed authentication exchange.
648
649         If this attribute is omitted (as it normally would be), or
650         specified with an empty value, the authorization identity is
651         assumed to be derived from the username specified with the
652         (required) "n" attribute.
653
654         The server always authenticates the user specified by the "n"
655         attribute.  If the "a" attribute specifies a different user,
656         the server associates that identity with the connection after
657         successful authentication and authorization checks.
658
659         The syntax of this field is the same as that of the "n" field
660         with respect to quoting of '=' and ','.
661
662   o  n: This attribute specifies the name of the user whose password is
663      used for authentication.  A client must include it in its first
664      message to the server.  If the "a" attribute is not specified
665      (which would normally be the case), this username is also the
666      identity which will be associated with the connection subsequent
667      to authentication and authorization.
668
669
670
671Menon-Sen, et al.      Expires September 24, 2009              [Page 12]
672
673Internet-Draft                    SCRAM                       March 2009
674
675
676         Before sending the username to the server, the client MUST
677         prepare the username using the "SASLPrep" profile [RFC4013] of
678         the "stringprep" algorithm [RFC3454].  If the preparation of
679         the username fails or results in an empty string, the client
680         SHOULD abort the authentication exchange (*).
681
682         (*) An interactive client can request a repeated entry of the
683         username value.
684
685         Upon receipt of the username by the server, the server SHOULD
686         prepare it using the "SASLPrep" profile [RFC4013] of the
687         "stringprep" algorithm [RFC3454].  If the preparation of the
688         username fails or results in an empty string, the server SHOULD
689         abort the authentication exchange.
690
691         The characters ',' or '=' in usernames are sent as '=2C' and
692         '=3D' respectively.  If the server receives a username which
693         contains '=' not followed by either '2C' or '3D', then the
694         server MUST fail the authentication.
695
696   o  m: This attribute is reserved for future extensibility.  In this
697      version of SCRAM, its presence in a client or a server message
698      MUST cause authentication failure when the attribute is parsed by
699      the other end.
700
701   o  r: This attribute specifies a sequence of random printable
702      characters excluding ',' which forms the nonce used as input to
703      the hash function.  No quoting is applied to this string (<<unless
704      the binding of SCRAM to a particular protocol states otherwise>>).
705      As described earlier, the client supplies an initial value in its
706      first message, and the server augments that value with its own
707      nonce in its first response.  It is important that this be value
708      different for each authentication.  The client MUST verify that
709      the initial part of the nonce used in subsequent messages is the
710      same as the nonce it initially specified.  The server MUST verify
711      that the nonce sent by the client in the second message is the
712      same as the one sent by the server in its first message.
713
714   o  c: This REQUIRED attribute specifies base64-encoded of a header
715      and the channel-binding data.  It is sent by the client in its
716      second authentication message.  The header consist of:
717
718      *  the GS2 header from the client's first message (recall: a
719         channel binding flag and an optional authzid);
720
721      *  followed by the external channel's channel binding type prefix
722         (see [RFC5056], if and only if the client is using channel
723         binding;
724
725
726
727Menon-Sen, et al.      Expires September 24, 2009              [Page 13]
728
729Internet-Draft                    SCRAM                       March 2009
730
731
732      *  followed by the external channel's channel binding data, if and
733         only if the client is using channel binding.
734
735   o  s: This attribute specifies the base64-encoded salt used by the
736      server for this user.  It is sent by the server in its first
737      message to the client.
738
739   o  i: This attribute specifies an iteration count for the selected
740      hash function and user, and must be sent by the server along with
741      the user's salt.
742
743         For SCRAM-HMAC-SHA-1 SASL mechanism servers SHOULD announce a
744         hash iteration-count of at least 128.
745
746   o  p: This attribute specifies a base64-encoded ClientProof.  The
747      client computes this value as described in the overview and sends
748      it to the server.
749
750   o  v: This attribute specifies a base64-encoded ServerSignature.  It
751      is sent by the server in its final message, and is used by the
752      client to verify that the server has access to the user's
753      authentication information.  This value is computed as explained
754      in the overview.
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783Menon-Sen, et al.      Expires September 24, 2009              [Page 14]
784
785Internet-Draft                    SCRAM                       March 2009
786
787
7886.  Channel Binding
789
790   SCRAM supports channel binding to external secure channels, such as
791   TLS.  Clients and servers may or may not support channel binding,
792   therefore the use of channel binding is negotiable.  SCRAM does not
793   provide security layers, however, therefore it is imperative that
794   SCRAM provide integrity protection for the negotiation of channel
795   binding.
796
797   Use of channel binding is negotiated as follows:
798
799   o  The server advertises support for channel binding by advertising
800      both, SCRAM-HMAC-<hash-function> and SCRAM-HMAC-<hash-function>-
801      PLUS.
802
803   o  If the client negotiates mechanisms then client MUST select SCRAM-
804      HMAC-<hash-function>-PLUS if offered by the server.  Otherwise, if
805      the client does not negotiate mechanisms then it MUST select only
806      SCRAM-HMAC-<hash-function> (not suffixed with "-PLUS").
807
808   o  If the client and server both support channel binding, or if the
809      client wishes to use channel binding but the client does not
810      negotiate mechanisms, the client MUST set the GS2 channel binding
811      flag to "p" and MUST include channel binding data for the external
812      channel in the computation of the "c=" attribute (see
813      Section 5.1).
814
815   o  If the client supports channel binding but the server does not
816      then the client MUST set the GS2 channel binding flag to "y" and
817      MUST NOT include channel binding data for the external channel in
818      the computation of the "c=" attribute (see Section 5.1).
819
820   o  If the client does not support channel binding then the client
821      MUST set the GS2 channel binding flag to "n" and MUST NOT include
822      channel binding data for the external channel in the computation
823      of the "c=" attribute (see Section 5.1).
824
825   o  If the server receives a client first message with the GS2 channel
826      binding flag set to "y" and the server supports channel binding
827      the server MUST fail authentication.  This is because if the
828      client sets the GS2 channel binding flag set to "y" then the
829      client must have believed that the server did not support channel
830      binding -- if the server did in fact support channel binding then
831      this is an indication that there has been a downgrade attack
832      (e.g., an attacker changed the server's mechanism list to exclude
833      the -PLUS suffixed SCRAM mechanism name(s)).
834
835   The server MUST always validate the client's "c=" field.  The server
836
837
838
839Menon-Sen, et al.      Expires September 24, 2009              [Page 15]
840
841Internet-Draft                    SCRAM                       March 2009
842
843
844   does this by constructing the value of the "c=" attribute and then
845   checking that it matches the client's c= attribute value.
846
8476.1.  Channel Binding to TLS Channels
848
849   If an external TLS channel is to be bound into the SCRAM
850   authentication, and if the channel was established using a server
851   certificate to authenticate the server, then the SCRAM client and
852   server MUST use the 'tls-server-end-point' channel binding type.  See
853   the IANA Channel Binding Types registry.
854
855   If an external TLS channel is to be bound into the SCRAM
856   authentication, and if the channel was established without the use of
857   any server certificate to authenticate the server, then the SCRAM
858   client and server MUST use the 'tls-unique' channel binding type.
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895Menon-Sen, et al.      Expires September 24, 2009              [Page 16]
896
897Internet-Draft                    SCRAM                       March 2009
898
899
9007.  Formal Syntax
901
902   The following syntax specification uses the Augmented Backus-Naur
903   Form (ABNF) notation as specified in [RFC5234].  "UTF8-2", "UTF8-3"
904   and "UTF8-4" non-terminal are defined in [RFC3629].
905
906
907     ALPHA = <as defined in RFC 5234 appendix B.1>
908     DIGIT = <as defined in RFC 5234 appendix B.1>
909     UTF8-2 = <as defined in RFC 3629 (STD 63)>
910     UTF8-3 = <as defined in RFC 3629 (STD 63)>
911     UTF8-4 = <as defined in RFC 3629 (STD 63)>
912
913     generic-message = attr-val *("," attr-val)
914                       ;; Generic syntax of any server challenge
915                       ;; or client response
916
917     attr-val        = ALPHA "=" value
918
919     value           = *value-char
920
921     value-safe-char = %x01-2B / %x2D-3C / %x3E-7F /
922                       UTF8-2 / UTF8-3 / UTF8-4
923                       ;; UTF8-char except NUL, "=", and ",".
924
925     value-char      = value-safe-char / "="
926
927     base64-char     = ALPHA / DIGIT / "/" / "+"
928
929     base64-4        = 4base64-char
930
931     base64-3        = 3base64-char "="
932
933     base64-2        = 2base64-char "=="
934
935     base64          = *base64-4 [base64-3 / base64-2]
936
937     posit-number = %x31-39 *DIGIT
938                       ;; A positive number
939
940     saslname        = 1*(value-safe-char / "=2C" / "=3D")
941                       ;; Conforms to <value>
942
943     authzid         = "a=" saslname
944                       ;; Protocol specific.
945
946     gs2-cbind-flag  = "n" / "y" / "p"
947                       ;; "n" -> client doesn't support channel binding
948
949
950
951Menon-Sen, et al.      Expires September 24, 2009              [Page 17]
952
953Internet-Draft                    SCRAM                       March 2009
954
955
956                       ;; "y" -> client does support channel binding
957                       ;;        but thinks the server does not.
958                       ;; "p" -> client requires channel binding
959     gs2-header      = gs2-cbind-flag [ authzid ] ","
960                       ;; GS2 header for SCRAM
961                       ;; (the actual GS2 header includes an optional
962                       ;; flag to indicate that the GSS mechanism is not
963                       ;; "standard" but since SCRAM is "standard" we
964                       ;; don't include that flag).
965
966     username        = "n=" saslname
967                       ;; Usernames are prepared using SASLPrep.
968
969     reserved-mext  = "m=" 1*(value-char)
970                       ;; Reserved for signalling mandatory extensions.
971                       ;; The exact syntax will be defined in
972                       ;; the future.
973
974     ;;cbind-type    = value
975     ;;cbind-input   = gs2-header [ value ":" cbind-data ]
976     channel-binding = "c=" base64
977                       ;; base64 encoding of cbind-input
978
979     proof           = "p=" base64
980
981     nonce           = "r=" c-nonce [s-nonce]
982                       ;; Second part provided by server.
983
984     c-nonce         = value
985
986     s-nonce         = value
987
988     salt            = "s=" base64
989
990     verifier        = "v=" base64
991                       ;; base-64 encoded ServerSignature.
992
993     iteration-count = "i=" posit-number
994                       ;; A positive number
995
996     client-first-message =
997                       gs2-header [reserved-mext ","]
998                       username "," nonce ["," extensions]
999
1000     server-first-message =
1001                       [reserved-mext ","] nonce "," salt ","
1002                       iteration-count ["," extensions]
1003
1004
1005
1006
1007Menon-Sen, et al.      Expires September 24, 2009              [Page 18]
1008
1009Internet-Draft                    SCRAM                       March 2009
1010
1011
1012     client-final-message-without-proof =
1013                       [channel-binding ","] nonce [","
1014                       extensions]
1015
1016     client-final-message =
1017                       client-final-message-without-proof "," proof
1018
1019     gss-server-error = "e=" value
1020     server-final-message = gss-server-error /
1021                       verifier ["," extensions]
1022                       ;; The error message is only for the GSS-API
1023                       ;; form of SCRAM, and it is OPTIONAL to
1024                       ;; implement it.
1025
1026     extensions = attr-val *("," attr-val)
1027                       ;; All extensions are optional,
1028                       ;; i.e. unrecognized attributes
1029                       ;; not defined in this document
1030                       ;; MUST be ignored.
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063Menon-Sen, et al.      Expires September 24, 2009              [Page 19]
1064
1065Internet-Draft                    SCRAM                       March 2009
1066
1067
10688.  SCRAM as a GSS-API Mechanism
1069
1070   This section and its sub-sections and all normative references of it
1071   not referenced elsewhere in this document are INFORMATIONAL for SASL
1072   implementors, but they are NORMATIVE for GSS-API implementors.
1073
1074   SCRAM is actually also GSS-API mechanism.  The messages are the same,
1075   but a) the GS2 header on the client's first message and channel
1076   binding data is excluded when SCRAM is used as a GSS-API mechanism,
1077   and b) the RFC2743 section 3.1 initial context token header is
1078   prefixed to the client's first authentication message (context
1079   token).
1080
1081   The GSS-API mechanism OID for SCRAM is <TBD> (see Section 10).
1082
10838.1.  GSS-API Principal Name Types for SCRAM
1084
1085   SCRAM does not name acceptors.  Therefore only GSS_C_NO_NAME and
1086   names of type GSS_C_NT_ANONYMOUS shall be allowed as the target name
1087   input of GSS_Init_sec_context() when using a SCRAM mechanism.
1088
1089   SCRAM supports only a single name type for initiators:
1090   GSS_C_NT_USER_NAME.  GSS_C_NT_USER_NAME is the default name type for
1091   SCRAM.
1092
1093   There is no name canonicalization procedure for SCRAM beyond applying
1094   SASLprep as described in Section 5.1.
1095
1096   The query, display and exported name syntax for SCRAM principal names
1097   is the same: there is no syntax -- SCRAM principal names are free-
1098   form.  (The exported name token does, of course, conform to [RFC2743]
1099   section 3.2, but the "NAME" part of the token is just a SCRAM user
1100   name.)
1101
11028.2.  GSS-API Per-Message Tokens for SCRAM
1103
1104   The per-message tokens for SCRAM as a GSS-API mechanism SHALL BE the
1105   same as those for the Kerberos V GSS-API mechanism [RFC4121], using
1106   the Kerberos V "aes128-cts-hmac-sha1-96" enctype [RFC3962].
1107
1108   The 128-bit session key SHALL be derived by using the least
1109   significant (right-most) 128 bits of HMAC(StoredKey, "GSS-API session
1110   key" || ClientKey || AuthMessage).
1111
1112   SCRAM does support PROT_READY, and is PROT_READY on the initiator
1113   side first upon receipt of the server's reply to the initial security
1114   context token.
1115
1116
1117
1118
1119Menon-Sen, et al.      Expires September 24, 2009              [Page 20]
1120
1121Internet-Draft                    SCRAM                       March 2009
1122
1123
11248.3.  GSS_Pseudo_random() for SCRAM
1125
1126   The GSS_Pseudo_random() [RFC4401] for SCRAM SHALL be the same as for
1127   the Kerberos V GSS-API mechanism [RFC4402].  There is no acceptor-
1128   asserted sub-session key for SCRAM, thus GSS_C_PRF_KEY_FULL and
1129   GSS_C_PRF_KEY_PARTIAL are equivalent for SCRAM's GSS_Pseudo_random().
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175Menon-Sen, et al.      Expires September 24, 2009              [Page 21]
1176
1177Internet-Draft                    SCRAM                       March 2009
1178
1179
11809.  Security Considerations
1181
1182   If the authentication exchange is performed without a strong security
1183   layer, then a passive eavesdropper can gain sufficient information to
1184   mount an offline dictionary or brute-force attack which can be used
1185   to recover the user's password.  The amount of time necessary for
1186   this attack depends on the cryptographic hash function selected, the
1187   strength of the password and the iteration count supplied by the
1188   server.  An external security layer with strong encryption will
1189   prevent this attack.
1190
1191   If the external security layer used to protect the SCRAM exchange
1192   uses an anonymous key exchange, then the SCRAM channel binding
1193   mechanism can be used to detect a man-in-the-middle attack on the
1194   security layer and cause the authentication to fail as a result.
1195   However, the man-in-the-middle attacker will have gained sufficient
1196   information to mount an offline dictionary or brute-force attack.
1197   For this reason, SCRAM includes the ability to increase the iteration
1198   count over time.
1199
1200   If the authentication information is stolen from the authentication
1201   database, then an offline dictionary or brute-force attack can be
1202   used to recover the user's password.  The use of salt mitigates this
1203   attack somewhat by requiring a separate attack on each password.
1204   Authentication mechanisms which protect against this attack are
1205   available (e.g., the EKE class of mechanisms), but the patent
1206   situation is presently unclear.
1207
1208   If an attacker obtains the authentication information from the
1209   authentication repository and either eavesdrops on one authentication
1210   exchange or impersonates a server, the attacker gains the ability to
1211   impersonate that user to all servers providing SCRAM access using the
1212   same hash function, password, iteration count and salt.  For this
1213   reason, it is important to use randomly-generated salt values.
1214
1215   SCRAM does not negotiate a hash function to use.  Hash function
1216   negotiation is left to the SASL mechanism negotiation.  It is
1217   important that clients be able to sort a locally available list of
1218   mechanisms by preference so that the client may pick the most
1219   preferred of a server's advertised mechanism list.  This preference
1220   order is not specified here as it is a local matter.  The preference
1221   order should include objective and subjective notions of mechanism
1222   cryptographic strength (e.g., SCRAM with a successor to SHA-1 may be
1223   preferred over SCRAM with SHA-1).
1224
1225   Note that to protect the SASL mechanism negotiation applications
1226   normally must list the server mechs twice: once before and once after
1227   authentication, the latter using security layers.  Since SCRAM does
1228
1229
1230
1231Menon-Sen, et al.      Expires September 24, 2009              [Page 22]
1232
1233Internet-Draft                    SCRAM                       March 2009
1234
1235
1236   not provide security layers the only ways to protect the mechanism
1237   negotiation are: a) use channel binding to an external channel, or b)
1238   use an external channel that authenticates a user-provided server
1239   name.
1240
1241   A hostile server can perform a computational denial-of-service attack
1242   on clients by sending a big iteration count value.
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287Menon-Sen, et al.      Expires September 24, 2009              [Page 23]
1288
1289Internet-Draft                    SCRAM                       March 2009
1290
1291
129210.  IANA Considerations
1293
1294   IANA is requested to add the following entries to the SASL Mechanism
1295   registry established by [RFC4422]:
1296
1297
1298   To: iana@iana.org
1299   Subject: Registration of a new SASL mechanism SCRAM-HMAC-SHA-1
1300
1301   SASL mechanism name (or prefix for the family): SCRAM-HMAC-SHA-1
1302   Security considerations: Section 7 of [RFCXXXX]
1303   Published specification (optional, recommended): [RFCXXXX]
1304   Person & email address to contact for further information:
1305    IETF SASL WG <ietf-sasl@imc.org>
1306   Intended usage: COMMON
1307   Owner/Change controller: IESG <iesg@ietf.org>
1308   Note:
1309
1310   To: iana@iana.org
1311   Subject: Registration of a new SASL mechanism SCRAM-HMAC-SHA-1-PLUS
1312
1313   SASL mechanism name (or prefix for the family): SCRAM-HMAC-SHA-1-PLUS
1314   Security considerations: Section 7 of [RFCXXXX]
1315   Published specification (optional, recommended): [RFCXXXX]
1316   Person & email address to contact for further information:
1317    IETF SASL WG <ietf-sasl@imc.org>
1318   Intended usage: COMMON
1319   Owner/Change controller: IESG <iesg@ietf.org>
1320   Note:
1321
1322
1323   Note that even though this document defines a family of SCRAM-HMAC
1324   mechanisms, it doesn't register a family of SCRAM-HMAC mechanisms in
1325   the SASL Mechanisms registry.  IANA is requested to prevent future
1326   registrations of SASL mechanisms starting with SCRAM-HMAC- without
1327   consulting the SASL mailing list <ietf-sasl@imc.org> first.
1328
1329   Note to future SCRAM-HMAC mechanism designers: each new SCRAM-HMAC
1330   SASL mechanism MUST be explicitly registered with IANA and MUST
1331   comply with SCRAM-HMAC mechanism naming convention defined in
1332   Section 4 of this document.
1333
1334   We hereby request that IANA assign a GSS-API mechanism OID for SCRAM.
1335
1336
1337
1338
1339
1340
1341
1342
1343Menon-Sen, et al.      Expires September 24, 2009              [Page 24]
1344
1345Internet-Draft                    SCRAM                       March 2009
1346
1347
134811.  Acknowledgements
1349
1350   The authors would like to thank Dave Cridland for his contributions
1351   to this document.
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399Menon-Sen, et al.      Expires September 24, 2009              [Page 25]
1400
1401Internet-Draft                    SCRAM                       March 2009
1402
1403
1404Appendix A.  Other Authentication Mechanisms
1405
1406   The DIGEST-MD5 [I-D.ietf-sasl-digest-to-historic] mechanism has
1407   proved to be too complex to implement and test, and thus has poor
1408   interoperability.  The security layer is often not implemented, and
1409   almost never used; everyone uses TLS instead.  For a more complete
1410   list of problems with DIGEST-MD5 which lead to the creation of SCRAM
1411   see [I-D.ietf-sasl-digest-to-historic].
1412
1413   The CRAM-MD5 SASL mechanism, while widely deployed has also some
1414   problems, in particular it is missing some modern SASL features such
1415   as support for internationalized usernames and passwords, support for
1416   passing of authorization identity, support for channel bindings.  It
1417   also doesn't support server authentication.  For a more complete list
1418   of problems with CRAM-MD5 see [I-D.ietf-sasl-crammd5-to-historic].
1419
1420   The PLAIN [RFC4616] SASL mechanism allows a malicious server or
1421   eavesdropper to impersonate the authenticating user to any other
1422   server for which the user has the same password.  It also sends the
1423   password in the clear over the network, unless TLS is used.  Server
1424   authentication is not supported.
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455Menon-Sen, et al.      Expires September 24, 2009              [Page 26]
1456
1457Internet-Draft                    SCRAM                       March 2009
1458
1459
1460Appendix B.  Design Motivations
1461
1462   The DIGEST-MD5 [I-D.ietf-sasl-digest-to-historic] mechanism has
1463   proved to be too complex to implement and test, and thus has poor
1464   interoperability.  The security layer is often not implemented, and
1465   almost never used; everyone uses TLS instead.  For a more complete
1466   list of problems with DIGEST-MD5 which lead to the creation of SCRAM
1467   see [I-D.ietf-sasl-digest-to-historic].
1468
1469   The CRAM-MD5 SASL mechanism, while widely deployed has also some
1470   problems, in particular it is missing some modern SASL features such
1471   as support for internationalized usernames and passwords, support for
1472   passing of authorization identity, support for channel bindings.  It
1473   also doesn't support server authentication.  For a more complete list
1474   of problems with CRAM-MD5 see [I-D.ietf-sasl-crammd5-to-historic].
1475
1476   The PLAIN [RFC4616] SASL mechanism allows a malicious server or
1477   eavesdropper to impersonate the authenticating user to any other
1478   server for which the user has the same password.  It also sends the
1479   password in the clear over the network, unless TLS is used.  Server
1480   authentication is not supported.
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511Menon-Sen, et al.      Expires September 24, 2009              [Page 27]
1512
1513Internet-Draft                    SCRAM                       March 2009
1514
1515
1516Appendix C.  SCRAM Examples and Internet-Draft Change History
1517
1518   <<To be written.>>
1519
1520   (RFC Editor: Please delete everything after this point)
1521
1522   Open Issues
1523
1524   o  The appendices need to be written.
1525
1526   o  Should the server send a base64-encoded ServerSignature for the
1527      value of the "v" attribute, or should it compute a ServerProof the
1528      way the client computes a ClientProof?
1529
1530   Changes since -10
1531
1532   o  Converted the source for this I-D to XML.
1533
1534   o  Added text to make SCRAM compliant with the new GS2 design.
1535
1536   o  Added text on channel binding negotiation.
1537
1538   o  Added text on channel binding, including a reference to RFC5056.
1539
1540   o  Added text on SCRAM as a GSS-API mechanism.  This noted as not
1541      relevant to SASL-only implementors -- the normative references for
1542      SCRAM as a GSS-API mechanism are segregated as well.
1543
1544   Changes since -07
1545
1546   o  Updated References.
1547
1548   o  Clarified purpose of the m= attribute.
1549
1550   o  Fixed a problem with authentication/authorization identity's ABNF
1551      not allowing for some characters.
1552
1553   o  Updated ABNF for nonce to show client-generated and server-
1554      generated parts.
1555
1556   o  Only register SCRAM-HMAC-SHA-1 with IANA and require explicit
1557      registrations of all other SCRAM-HMAC- mechanisms.
1558
1559   Changes since -06
1560
1561   o  Removed hash negotiation from SCRAM and turned it into a family of
1562      SASL mechanisms.
1563
1564
1565
1566
1567Menon-Sen, et al.      Expires September 24, 2009              [Page 28]
1568
1569Internet-Draft                    SCRAM                       March 2009
1570
1571
1572   o  Start using "Hash Function Textual Names" IANA registry for SCRAM
1573      mechanism naming.
1574
1575   o  Fixed definition of Hi(str, salt) to be consistent with [RFC2898].
1576
1577   o  Clarified extensibility of SCRAM: added m= attribute (for future
1578      mandatory extensions) and specified that all unrecognized
1579      attributes must be ignored.
1580
1581   Changes since -05
1582
1583   o  Changed the mandatory to implement hash algorithm to SHA-1 (as per
1584      WG consensus).
1585
1586   o  Added text about use of SASLPrep for username canonicalization/
1587      validation.
1588
1589   o  Clarified that authorization identity is canonicalized/verified
1590      according to SASL protocol profile.
1591
1592   o  Clarified that iteration count is per-user.
1593
1594   o  Clarified how clients select the authentication function.
1595
1596   o  Added IANA registration for the new mechanism.
1597
1598   o  Added missing normative references (UTF-8, SASLPrep).
1599
1600   o  Various editorial changes based on comments from Hallvard B
1601      Furuseth, Nico William and Simon Josefsson.
1602
1603   Changes since -04
1604
1605   o  Update Base64 and Security Glossary references.
1606
1607   o  Add Formal Syntax section.
1608
1609   o  Don't bother with "v=".
1610
1611   o  Make MD5 mandatory to implement.  Suggest i=128.
1612
1613   Changes since -03
1614
1615   o  Seven years have passed, in which it became clear that DIGEST-MD5
1616      suffered from unacceptably bad interoperability, so SCRAM-MD5 is
1617      now back from the dead.
1618
1619   o  Be hash agnostic, so MD5 can be replaced more easily.
1620
1621
1622
1623Menon-Sen, et al.      Expires September 24, 2009              [Page 29]
1624
1625Internet-Draft                    SCRAM                       March 2009
1626
1627
1628   o  General simplification.
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679Menon-Sen, et al.      Expires September 24, 2009              [Page 30]
1680
1681Internet-Draft                    SCRAM                       March 2009
1682
1683
168412.  References
1685
168612.1.  Normative References
1687
1688   [RFC2104]  Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
1689              Hashing for Message Authentication", RFC 2104,
1690              February 1997.
1691
1692   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1693              Requirement Levels", BCP 14, RFC 2119, March 1997.
1694
1695   [RFC3174]  Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
1696              (SHA1)", RFC 3174, September 2001.
1697
1698   [RFC3454]  Hoffman, P. and M. Blanchet, "Preparation of
1699              Internationalized Strings ("stringprep")", RFC 3454,
1700              December 2002.
1701
1702   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
1703              10646", STD 63, RFC 3629, November 2003.
1704
1705   [RFC4013]  Zeilenga, K., "SASLprep: Stringprep Profile for User Names
1706              and Passwords", RFC 4013, February 2005.
1707
1708   [RFC4422]  Melnikov, A. and K. Zeilenga, "Simple Authentication and
1709              Security Layer (SASL)", RFC 4422, June 2006.
1710
1711   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
1712              Encodings", RFC 4648, October 2006.
1713
1714   [RFC5056]  Williams, N., "On the Use of Channel Bindings to Secure
1715              Channels", RFC 5056, November 2007.
1716
1717   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
1718              Specifications: ABNF", STD 68, RFC 5234, January 2008.
1719
172012.2.  Normative References for GSS-API implementors
1721
1722   [RFC2743]  Linn, J., "Generic Security Service Application Program
1723              Interface Version 2, Update 1", RFC 2743, January 2000.
1724
1725   [RFC3962]  Raeburn, K., "Advanced Encryption Standard (AES)
1726              Encryption for Kerberos 5", RFC 3962, February 2005.
1727
1728   [RFC4121]  Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos
1729              Version 5 Generic Security Service Application Program
1730              Interface (GSS-API) Mechanism: Version 2", RFC 4121,
1731              July 2005.
1732
1733
1734
1735Menon-Sen, et al.      Expires September 24, 2009              [Page 31]
1736
1737Internet-Draft                    SCRAM                       March 2009
1738
1739
1740   [RFC4401]  Williams, N., "A Pseudo-Random Function (PRF) API
1741              Extension for the Generic Security Service Application
1742              Program Interface (GSS-API)", RFC 4401, February 2006.
1743
1744   [RFC4402]  Williams, N., "A Pseudo-Random Function (PRF) for the
1745              Kerberos V Generic Security Service Application Program
1746              Interface (GSS-API) Mechanism", RFC 4402, February 2006.
1747
174812.3.  Informative References
1749
1750   [I-D.ietf-sasl-crammd5-to-historic]
1751              Zeilenga, K., "CRAM-MD5 to Historic",
1752              draft-ietf-sasl-crammd5-to-historic-00 (work in progress),
1753              November 2008.
1754
1755   [I-D.ietf-sasl-digest-to-historic]
1756              Melnikov, A., "Moving DIGEST-MD5 to Historic",
1757              draft-ietf-sasl-digest-to-historic-00 (work in progress),
1758              July 2008.
1759
1760   [I-D.ietf-sasl-rfc2831bis]
1761              Melnikov, A., "Using Digest Authentication as a SASL
1762              Mechanism", draft-ietf-sasl-rfc2831bis-12 (work in
1763              progress), March 2007.
1764
1765   [RFC2195]  Klensin, J., Catoe, R., and P. Krumviede, "IMAP/POP
1766              AUTHorize Extension for Simple Challenge/Response",
1767              RFC 2195, September 1997.
1768
1769   [RFC2202]  Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-
1770              SHA-1", RFC 2202, September 1997.
1771
1772   [RFC2898]  Kaliski, B., "PKCS #5: Password-Based Cryptography
1773              Specification Version 2.0", RFC 2898, September 2000.
1774
1775   [RFC4086]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
1776              Requirements for Security", BCP 106, RFC 4086, June 2005.
1777
1778   [RFC4510]  Zeilenga, K., "Lightweight Directory Access Protocol
1779              (LDAP): Technical Specification Road Map", RFC 4510,
1780              June 2006.
1781
1782   [RFC4616]  Zeilenga, K., "The PLAIN Simple Authentication and
1783              Security Layer (SASL) Mechanism", RFC 4616, August 2006.
1784
1785   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
1786              RFC 4949, August 2007.
1787
1788
1789
1790
1791Menon-Sen, et al.      Expires September 24, 2009              [Page 32]
1792
1793Internet-Draft                    SCRAM                       March 2009
1794
1795
1796   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
1797              (TLS) Protocol Version 1.2", RFC 5246, August 2008.
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847Menon-Sen, et al.      Expires September 24, 2009              [Page 33]
1848
1849Internet-Draft                    SCRAM                       March 2009
1850
1851
1852Authors' Addresses
1853
1854   Abhijit Menon-Sen
1855   Oryx Mail Systems GmbH
1856
1857   Email: ams@oryx.com
1858
1859
1860   Alexey Melnikov
1861   Isode Ltd
1862
1863   Email: Alexey.Melnikov@isode.com
1864
1865
1866   Chris Newman
1867   Sun Microsystems
1868   1050 Lakes Drive
1869   West Covina, CA  91790
1870   USA
1871
1872   Email: chris.newman@sun.com
1873
1874
1875   Nicolas Williams
1876   Sun Microsystems
1877   5300 Riata Trace Ct
1878   Austin, TX  78727
1879   USA
1880
1881   Email: Nicolas.Williams@sun.com
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903Menon-Sen, et al.      Expires September 24, 2009              [Page 34]
1904
1905