SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

[Neustradamus]

Dear @duesee,

Can you add supports of :

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
• SCRAM-SHA3-512
• SCRAM-SHA3-512-PLUS

You can add too:

• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

• SCRAM-SHA-1(-PLUS): -- https://tools.ietf.org/html/rfc5802 -- https://tools.ietf.org/html/rfc6120

• SCRAM-SHA-256(-PLUS): -- https://tools.ietf.org/html/rfc7677 since 2015-11-02 -- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

• SCRAM-SHA-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

• SCRAM-SHA3-512(-PLUS): -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

• SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: -- https://tools.ietf.org/html/draft-melnikov-scram-bis

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

• RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• https://github.com/scram-xmpp/info/issues/1
• https://github.com/duesee/imap-flow/issues/97

[gowthamgts]

https://news.ycombinator.com/item?id=39868682

[Neustradamus]

@gowthamgts: Do you attack me because I have requested the XZ update? I am not linked to the XZ project.

[duesee]

Thanks for the hint, @gowthamgts!

Some thoughts (and context):

This issue asks to implement support for some SCRAM variants -- it doesn't "push for changes to sha256" as said on HN. To the best of my knowledge, there is nothing wrong with SCRAM -- to the contrary. Thus, I believe @Neustradamus opened this issue in good faith.

Still, while you are here:

SASL is old and complex. It's also literally the key to our online identity. Yet, it feels under-researched. Maybe we can use our energy to take a closer look on SASL implementations?

(While I can't do much research on my own currently, I will happily assist anyone wanting to do so with tooling, expertise, etc.! Want to see that happen for quite some time now...)

[gowthamgts]

@Neustradamus definitely no. At this point in time I just wanted to be sure that people knew about the backdoor. You can definitely be a genuine user or a developer or a contributor or even a penguin on the internet. 🙂

@duesee understood. No harm no foul. These PRs were flagged by people earlier and just wanted to make sure this reached the maintainers of the projects.

[Neustradamus]

@duesee: Thanks for your answer, several people mix all.

@gowthamgts: Strange, your messages are not clear:

• https://github.com/duesee/imap-flow/issues/96#issuecomment-2027899343
• https://github.com/marlam/msmtp/issues/36#issuecomment-2027900141
• https://news.ycombinator.com/item?id=39871685

You can follow my announcements here:

• https://mastodon.social/@neustradamus
• https://twitter.com/neustradamus
• https://bsky.app/profile/neustradamus.bsky.social
• https://news.ycombinator.com/user?id=neustradamus

The good point, people speak about SCRAM "Salted Challenge Response Authentication Mechanism" security ;)

• https://github.com/scram-sasl/info/issues/1

Badly, some people or projects like only old unsecure mechanisms, some would like security improvements.

cc: @canselcik, @winkelcode, @timrobbins1, @sebpretzer, @sroussey, @masklinn, @asmor (not sure).

[mbhangui]

@Neustradamus had requesed me too for implementation of SCRAM (See this). What he has asked me to add is something which is genuine and supported by many RFCs. Implementation of those RFC's in my project was what he pursued. Apart from the followup on SCRAM implementation he has been helpful in few occassions to better organize my projects on github. At no point has he suggested me to include any code apart from suggesting which projects that have implemented SCRAM. IME he has always been sincere in interactions with me.

[LeoniePhiline]

@Neustradamus Please stop CCing people who reacted to an issue comment.

[Neustradamus]

@LeoniePhiline: Sorry, thanks for your message. It is important to understand all and not a little part :)

[gowthamgts]

@Neustradamus I've already explained here dude. I don't understand why you keep spamming and ccing me everywhere. If you're not guilty just move on.

[Neustradamus]

Why? Because people contact me about it. It is important to have the detail on linked publications because a lot of people do not click on other links directly.

[duesee]

Thanks for the comments, but I feel this discussion is a bit of a distraction. If you disagree, write me an email and I'll unlock the discussion again.