One document matched: draft-hansen-scram-sha256-02.xml
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc='yes' ?>
<?rfc editing='no' ?>
<?rfc symrefs='yes' ?>
<?rfc sortrefs='no'?>
<?rfc linkmailto='no'?>
<?rfc compact='yes'?>
<?rfc comments='yes'?>
<?rfc inline='yes'?>
<?rfc-ext parse-xml-in-artwork='yes' ?>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<rfc ipr='trust200902' docName='draft-hansen-scram-sha256-02' category='info' updates='5802'>
<front>
<title abbrev='SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS'>SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL Mechanisms</title>
<author initials='T.' surname='Hansen' fullname='Tony Hansen'>
<organization>AT&T Laboratories</organization>
<address>
<postal>
<street>200 Laurel Ave. South</street>
<city>Middletown</city>
<region>NJ</region>
<code>07748</code>
<country>USA</country>
</postal>
<email>tony+scramsha256@maillennium.att.com</email>
</address>
</author>
<date />
<area>Security</area>
<workgroup>Kitten</workgroup>
<keyword>Requests for Comment</keyword>
<abstract>
<t>
This document registers the SASL mechanisms SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
It also updates RFC 5802 in minor ways.
</t>
</abstract>
</front>
<middle>
<section title='Introduction'>
<t>
This document registers the SASL mechanisms SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
</t>
<t>
The registration form for the SCRAM family of algorithms is also updated.
</t>
<t>
Note: this paragraph may be removed before publication.
<vspace/>
This document was written because <xref target='RFC5802'/> requires that new SASL mechanisms in the SCRAM family
be subject to IETF review.
This document is being discussed in the KITTEN working group
(see the <eref target='mailto:kitten@ietf.org'>kitten@ietf.org</eref> mailing list).
It was pursued further because of a desire for its use within a document being discussed in the HTTP-AUTH working group
(see the <eref target='mailto:httpauth@ietf.org'>httpauth@ietf.org</eref> mailing list).
</t>
</section>
<section title='SCRAM-SHA-256 and SCRAM-SHA-256-PLUS'>
<t>
The SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL mechanism are defined in the same way
that SCRAM-SHA-1 and SCRAM-SHA-1-PLUS are defined
in <xref target='RFC5802'/>, except that the hash function for HMAC() and H() uses SHA-256 instead of SHA-1
<xref target='RFC6234'/>.
</t>
<t>
For the SCRAM-SHA-256/SCRAM-SHA-256-PLUS SASL mechanisms, servers
SHOULD announce a hash iteration-count of at least 4096.<vspace/>
</t>
<t>
The GSS-API mechanism OID for SCRAM-SHA-256 is TBD1 (see <xref target='iana'/>).
</t>
<t>
This is a simple example of a SCRAM-SHA-256 authentication exchange
when the client doesn't support channel bindings (username 'user' and
password 'pencil' are used):
<list style='hanging' hangIndent='3'>
<t hangText='C:'>n,,n=user,r=rOprNGfwEbeRWgbNEkqO</t>
<t hangText='S:'>r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,<vspace/>
s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096</t>
<t hangText='C:'>c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,<vspace/>
p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=</t>
<t hangText='S:'>v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=</t>
</list>
</t>
</section>
<section title='Security Considerations' anchor='security'>
<t>
The security considerations from <xref target='RFC5802'/> still apply.
</t>
</section>
<section title='IANA Considerations' anchor='iana'>
<t>
The IANA registry for the SCRAM family of SASL mechanisms is updated as follows.
This revised form adds two new fields: Minimum iteration-count and Associated OID.
In addition, the email address for reviews has been updated.
<list style='empty'>
<t>To: iana@iana.org<vspace/>
Subject: Registration of a new SASL family SCRAM
</t>
<t>
SASL mechanism name (or prefix for the family): SCRAM-*<vspace/>
Security considerations: Section 7 of <xref target='RFC5802'/><vspace/>
Published specification (optional, recommended): RFCXXXX<vspace/>
Minimum iteration-count: The minimum iteration-count that servers SHOULD announce
<vspace/>
Associated OID: IANA SHOULD assign a GSS-API mechanism OID for
this mechanism from the iso.org.dod.internet.security.mechanisms prefix
(see the "SMI Security for Mechanism Codes" registry).
Only one OID needs to be assigned for a SCRAM-* and SCRAM-*-PLUS pair.
The same OID should be assigned to both entries in the registry.
<vspace/>
Person & email address to contact for further information:
IETF KITTEN WG kitten@ietf.org<vspace/>
Intended usage: COMMON<vspace/>
Owner/Change controller: IESG iesg@ietf.org<vspace/>
Note: Members of this family MUST be explicitly registered
using the "IETF Review" <xref target='RFC5226'/> registration procedure.
Reviews MUST be requested on the KITTEN mailing list kitten@ietf.org
(or a successor designated by the responsible Security AD).
</t>
<t>
Note to future SCRAM-mechanism designers: each new SCRAM-SASL
mechanism MUST be explicitly registered with IANA and MUST comply
with SCRAM-mechanism naming convention defined in Section 4 of
<xref target='RFC5802'/>.
</t>
</list>
</t>
<t>
The following values are to be added to the existing registries for SASL SCRAM-SHA-1 and SCRAM-SHA-1-PLUS:
<list style='empty'>
<t>
Minimum iteration-count: 4096<vspace/>
OID: 1.3.6.1.5.5.14 (from <xref target='RFC5802'/>)
</t>
</list>
</t>
<t>
The following new SASL SCRAM mechanisms are added:
<list style='empty'>
<t>
IANA has added the following entries to the SASL Mechanism registry
established by <xref target='RFC4422'/>:
</t>
<t>To: iana@iana.org<vspace/>
Subject: Registration of a new SASL mechanism SCRAM-SHA-256
</t>
<t>
SASL mechanism name (or prefix for the family): SCRAM-SHA-256<vspace/>
Security considerations: Section <xref target='security'/> of RFCXXXX<vspace/>
Published specification (optional, recommended): RFCXXXX<vspace/>
Minimum iteration-count: 4096<vspace/>
OID: TBD1<vspace/>
Person & email address to contact for further information:
IETF KITTEN WG kitten@ietf.org<vspace/>
Intended usage: COMMON<vspace/>
Owner/Change controller: IESG iesg@ietf.org<vspace/>
Note:
</t>
<t>
To: iana@iana.org<vspace/>
Subject: Registration of a new SASL mechanism SCRAM-SHA-256-PLUS
</t>
<t>
SASL mechanism name (or prefix for the family): SCRAM-SHA-256-PLUS<vspace/>
Security considerations: Section <xref target='security'/> of RFCXXXX<vspace/>
Published specification (optional, recommended): RFCXXXX<vspace/>
Minimum iteration-count: 4096<vspace/>
OID: TBD1<vspace/>
Person & email address to contact for further information:
IETF KITTEN WG kitten@ietf.org<vspace/>
Intended usage: COMMON<vspace/>
Owner/Change controller: IESG iesg@ietf.org<vspace/>
Note:
</t>
</list>
</t>
<t>
[This note may be removed on publication.]
IANA needs to assign the GSS-API mechanism OID TBD1 listed above
from the iso.org.dod.internet.security.mechanisms prefix
(see the "SMI Security for Mechanism Codes" registry).
</t>
</section>
<section title='Acknowledgements'>
<t>
This document benefited from discussions on the KITTEN WG mailing list.
The author would like to specially thank
Russ Albery,
Dave Cridland,
Shawn Emery,
Simon Josefsson,
and
Alexey Melnikov for their comments on this topic.
</t>
</section>
</middle>
<back>
<references title='Normative References'>
<?rfc include='reference.RFC.5802' ?>
<?rfc include='reference.RFC.6234' ?>
</references>
<references title='Informative References'>
<?rfc include='reference.RFC.4422' ?>
<?rfc include='reference.RFC.5226' ?>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 12:59:47 |