rufferson
commented
3 years ago Hi Sam, Thanks for looking into this. According to RFC5802
SCRAM Mechanism Names
A SCRAM mechanism name is a string "SCRAM-" followed by the uppercased name of the underlying hash function taken from the IANA "Hash Function Textual Names" registry (see http://www.iana.org), optionally followed by the suffix "-PLUS" (see below).
So the mechanisms are perfectly fine from this perspective. I always wondered why RFC7677 even exists but I do agree that that particular RFC puts additional restrictions on name usage by setting up a registry and mandating only registered mechanisms to be used.
As for 'does not add any security' - this is arguable, sha512 has better collision resistance (even though there's no known practical algorithm to produce collision for either sha256 or sha512 and they are used for HMAC) and higher complexity (means with same iteration count pbkdf2 is more resistant to brute force with 512) - which is handy for securing passwords at rest (salted).
Finally for "no one uses it" - it is defined in Cyrus SASL hence any server/client using that library is potentially using those mechanisms. I've also found references to it in WildFly Security SCRAM SASL Implementation. So I'm afraid it's a bit late to ban its existence.
SamWhited
Neustradamus
Hi,
While looking into wocky I noticed the following lines:
https://github.com/TelepathyIM/wocky/blob/master/wocky/wocky-auth-registry.c#L279-L283
The
SCRAM-SHA1andSCRAM-SHA-256SASL mechanisms are standardized by the IETF. However, there is no such mechanism asSCRAM-SHA-512orSCRAM-SHA-384. Since they are not supported by any XMPP clients, and do not provide any known security benefit over either of the other SCRAM mechanisms (since the hash is just used in an HMAC), please consider removing these mechanisms.If the mechanisms are left in, and eventually a
SCRAM-SHA-512mechanism is created by the IETF but it differs somehow from the other mechanisms, you will have an incompatible version. This also may encourage other developers to implement the non-standard mechanism and/or to not support the actual standardized mechanisms out of some misguided idea that bigger numbers means that it is somehow "more secure". We don't want to have to clean up a mess later, or encourage other XMPP stacks to invent their own mechanisms which may only work with one or two clients and servers when safe, standardized, mechanisms have already been thought through by a group with expertise in these matters.TL;DR let's not make up our own crypto, it's dangerous. Please trust the experts and wait until the IETF reviews and standardizes a new mechanism before implementing it.
Thanks for your consideration.