Next: , Previous: DIGEST-MD5, Up: Mechanisms

5.7 The SCRAM-SHA-1 mechanism

The SCRAM-SHA-1 mechanism is designed to provide (almost) the same capabilities as CRAM-MD5 and DIGEST-MD5 but use modern cryptographic techniques such as HMAC-SHA-1 hashing and PKCS#5 PBKDF2 key derivation. SCRAM-SHA-1 supports authorization identities. Like CRAM-MD5 and DIGEST-MD5, only a hashed password is transferred. Consequently, SCRAM-SHA-1 needs access to the correct password to verify the client response. Channel bindings are supported through the SCRAM-SHA-1-PLUS mechanism.

In the client, the non-PLUS mechanism is always enabled, and it requires the GSASL_AUTHID property, and either GSASL_PASSWORD or GSASL_SCRAM_SALTED_PASSWORD. When the GSASL_CB_TLS_UNIQUE property is available, the SCRAM-SHA-1-PLUS mechanism is also available and it will negotiate channel bindings when the server also supports it. If set, GSASL_AUTHZID will be used by the client. To be able to return the proper GSASL_SCRAM_SALTED_PASSWORD value, the client needs to check the GSASL_SCRAM_ITER and GSASL_SCRAM_SALT values which are available when the GSASL_SCRAM_SALTED_PASSWORD property is queried for.

In the server, the mechanism will require the GSASL_PASSWORD callback property, which may use the GSASL_AUTHID property to determine which users' password should be used. The GSASL_AUTHID will be in normalized form. The server will then normalize the returned password, and compare the client response with the computed correct response, and accept the user accordingly. The server may also set the GSASL_SCRAM_ITER and GSASL_SCRAM_SALT properties to influence the values to be used by clients to derive a key from a password. When the GSASL_CB_TLS_UNIQUE property is set, the SCRAM-SHA-1-PLUS mechanism is supported and is used to negotiate channel bindings.

The GSASL_CB_TLS_UNIQUE property signal that this side of the authentication supports channel bindings. Setting the property will enable the SCRAM-SHA-1-PLUS mechanism. For clients, this also instructs the SCRAM-SHA-1 mechanism to tell servers that the client believes the server does not support channel bindings if it is used (remember that clients should otherwise have chosen the SCRAM-SHA-1-PLUS mechanism instead of the SCRAM-SHA-1 mechanism). For servers, it means the SCRAM-SHA-1 mechanism will refuse to authenticate against a client that signals that it believes the server does not support channel bindings.

The SCRAM-SHA-1-PLUS mechanism will never complete authentication successfully if channel bindings are not confirmed.