SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

[Neustradamus]

Dear @crystal-lang team,

In first, I wish you a Happy New Year!

---

Note: @naqvis has already worked on a part here: https://github.com/naqvis/cr-xmpp I think that he can added directly here:

• SCRAM-SHA-1
• SCRAM-SHA-256

• SCRAM-SHA-512

Can you add in https://github.com/crystal-lang/crystal supports of:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
• SCRAM-SHA3-512
• SCRAM-SHA3-512-PLUS

You can add too:

• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

• SCRAM-SHA-1(-PLUS): -- https://tools.ietf.org/html/rfc5802 -- https://tools.ietf.org/html/rfc6120

• SCRAM-SHA-256(-PLUS): -- https://tools.ietf.org/html/rfc7677 since 2015-11-02 -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

• SCRAM-SHA-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

• SCRAM-SHA3-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• https://github.com/scram-xmpp/info/issues/1

[straight-shoota]

Happy New Year to you as well!

Thanks for bringing this up. However, I can't make much sense of this largely uncommented collection of references. I get that you propose adding a number of SCRAM-SHA algorithms to Crystal's standard library. I can find no comprehensible reason for that. Please detail why you think those should be added to the standard library (as opposed to being provided in a shard such https://github.com/naqvis/cr-xmpp).

[Neustradamus]

@straight-shoota: Thanks for your reply and your wishes.

It is to replace old and unsecure DIGEST-MD5 included in this lib by SCRAM-SHA- and SCRAM-SHA--PLUS.

• https://github.com/crystal-lang/crystal/search?q=md5

I inform you that there are already 3 versions in cr-xmpp to help.

Of course you need to read, SCRAM informations are in this ticket and a list of libs/softs already compatible here:

• https://github.com/scram-xmpp/info/issues/1

It is important to security because DIGEST-MD5 is obsolete and unsecure.

[jhass]

AFAIR Crystal's standard library does not implement CRAM-MD5 anywhere. The Digest namespace refers to hash digests in the general sense and is collecting different hash digest algorithms. What these then are then are applied for is outside the scope of the Crystal standard library. Removing any and all possibility to compute an MD5 hash digest does not seem reasonable. Likewise AFAIR there's no precedent for providing specific challenge response authentication mechanisms, so we need to have some actual good motivations brought forward to consider this.

[Neustradamus]

Good comment from @konovod: https://github.com/crystal-lang/crystal/issues/11731#issuecomment-1008302600.

But here, the goal is to have SCRAM supports.

It is not possible to add?

[straight-shoota]

It can be added if there's a good reason to have this in stdlib. I don't see such good reason. It's probably better placed in a shard.