One document matched: draft-ietf-httpauth-scram-auth-13.xml
<?xml version="1.0" encoding="UTF-8"?>
<!-- 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml' -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2104 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2104.xml'>
<!ENTITY rfc2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2865 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2865.xml'>
<!ENTITY rfc2898 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2898.xml'>
<!ENTITY rfc2945 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2945.xml'>
<!ENTITY rfc6234 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml'>
<!ENTITY rfc3454 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3454.xml'>
<!ENTITY rfc3629 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3629.xml'>
<!ENTITY rfc4013 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4013.xml'>
<!ENTITY rfc4086 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4086.xml'>
<!ENTITY rfc4510 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4510.xml'>
<!ENTITY rfc4616 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4616.xml'>
<!ENTITY rfc4648 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4648.xml'>
<!ENTITY rfc4949 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml'>
<!ENTITY rfc5056 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5056.xml'>
<!ENTITY rfc5226 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5226.xml'>
<!ENTITY rfc5234 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5234.xml'>
<!ENTITY rfc5246 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml'>
<!ENTITY rfc5802 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5802.xml'>
<!ENTITY rfc5929 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5929.xml'>
<!ENTITY rfc7235 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.7235.xml'>
<!ENTITY rfc7613 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.7613.xml'>
<!ENTITY rfc7615 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.7615.xml'>
<!ENTITY rfc7677 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.7677.xml'>
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc tocindent="no" ?>
<?rfc autobreaks="no" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<?rfc compact="no"?>
<rfc ipr="trust200902" category="exp" docName="draft-ietf-httpauth-scram-auth-13.txt">
<front>
<title abbrev="HTTP SCRAM">Salted Challenge Response (SCRAM) HTTP Authentication Mechanism</title>
<author initials='A.' surname="Melnikov" fullname="Alexey Melnikov">
<organization>Isode Ltd</organization>
<address>
<email>Alexey.Melnikov@isode.com</email>
</address>
</author>
<date year="2015"/>
<area>Security</area>
<workgroup>HTTPAUTH</workgroup>
<keyword>HTTP</keyword>
<keyword>SASL</keyword>
<keyword>SCRAM</keyword>
<keyword>GS2</keyword>
<keyword>GSSAPI</keyword>
<keyword>GSS-API</keyword>
<abstract>
<t>The authentication mechanism most widely deployed
and used by Internet application protocols is the
transmission of clear-text passwords over a channel
protected by Transport Layer Security (TLS). There are
some significant security concerns with that mechanism,
which could be addressed by the use of a challenge
response authentication mechanism protected by TLS.
Unfortunately, the HTTP Digest challenge response mechanism
presently on the standards track failed widespread deployment, and
have had success only in limited use.</t>
<t>This specification describes a family of
HTTP authentication mechanisms called the Salted Challenge Response
Authentication Mechanism (SCRAM), which addresses
security concerns with HTTP Digest and meets the deployability
requirements. When used in combination with TLS or an
equivalent security layer, a mechanism from this family
could improve the status-quo for HTTP
authentication.</t>
</abstract>
</front>
<middle>
<section anchor="conv" title="Conventions Used in This Document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be
interpreted as described in <xref
target='RFC2119'/>.</t>
<t>Formal syntax is defined by <xref target='RFC5234'/>
including the core rules defined in Appendix B of <xref
target='RFC5234'/>.
<!--////Alexey also use N# rule from draft-ietf-httpbis-p7-auth?-->
</t>
<t>Example lines prefaced by "C:" are sent by the client and
ones prefaced by "S:" by the server. If a single "C:" or
"S:" label applies to multiple lines, then the line
breaks between those lines are for editorial clarity
only, and are not part of the actual protocol
exchange.</t>
<section title="Terminology">
<t>This document uses several terms defined in <xref
target='RFC4949'/> ("Internet Security
Glossary") including the following: authentication,
authentication exchange, authentication information,
brute force, challenge-response, cryptographic hash
function, dictionary attack, eavesdropping, hash
result, keyed hash, man-in-the-middle, nonce,
one-way encryption function, password, replay attack
and salt. Readers not familiar with these terms
should use that glossary as a reference.</t>
<t>Some clarifications and additional definitions
follow:
<list style='symbols'>
<t>Authentication information: Information used
to verify an identity claimed by a SCRAM
client. The authentication information for a
SCRAM identity consists of salt, iteration
count, the "StoredKey" and "ServerKey" (as
defined in the algorithm overview) for each
supported cryptographic hash function.</t>
<t>Authentication database: The database used to
look up the authentication information
associated with a particular identity. For
application protocols, LDAPv3 (see <xref
target='RFC4510'/>) is frequently used
as the authentication database. For
network-level protocols such as PPP or
802.11x, the use of RADIUS <xref target='RFC2865'/> is more
common.</t>
<t>Base64: An encoding mechanism defined in
Section 4 of <xref target='RFC4648'/> which converts an
octet string input to a textual output
string which can be easily displayed to a
human. The use of base64 in SCRAM is
restricted to the canonical form with no
whitespace.</t>
<t>Octet: An 8-bit byte.</t>
<t>Octet string: A sequence of 8-bit bytes.</t>
<t>Salt: A random octet string that is combined
with a password before applying a one-way
encryption function. This value is used to
protect passwords that are stored in an
authentication database.</t>
</list>
</t>
</section>
<section title="Notation">
<!--////Review if all of these are needed if we include SCRAM mechanism by reference?-->
<t>The pseudocode description of the algorithm uses the
following notations:
<list style='symbols'>
<t>":=": The variable on the left hand side
represents the octet string resulting from
the expression on the right hand side.</t>
<t>"+": Octet string concatenation.</t>
<t>"[ ]": A portion of an expression enclosed in
"[" and "]" may not be included in the
result under some circumstances. See the
associated text for a description of those
circumstances.</t>
<!-- Extract from the Precis SASLPrepBis:
4.2.1. Preparation
An entity that prepares a string according to this profile MUST
ensure that the string consists only of Unicode code points that
conform to the "FreeformClass" base string class defined in
[RFC7564]. In addition, the string MUST be encoded as UTF-8
[RFC3629].
4.2.2. Enforcement
An entity that performs enforcement according to this profile MUST
prepare a string as described in the previous section and MUST also
apply the rules specified below (these rules MUST be applied in the
order shown).
1. Width Mapping Rule: Fullwidth and halfwidth characters MUST NOT
be mapped to their decomposition mappings (see Unicode Standard
Annex #11 [UAX11]).
2. Additional Mapping Rule: Any instances of non-ASCII space MUST be
mapped to ASCII space (U+0020); a non-ASCII space is any Unicode
code point having a general category of "Zs", naturally with the
exception of U+0020.
3. Case Mapping Rule: Uppercase and titlecase characters MUST NOT be
mapped to their lowercase equivalents.
4. Normalization Rule: Unicode Normalization Form C (NFC) MUST be
applied to all characters.
5. Directionality Rule: There is no directionality rule. The "Bidi
Rule" (defined in [RFC5893]) and similar rules are unnecessary
and inapplicable to passwords, since they can reduce the range of
characters that are allowed in a string and therefore reduce the
amount of entropy that is possible in a password. Such rules are
intended to minimize the possibility that the same string will be
displayed differently on a layout system set for right-to-left
display and a layout system set for left-to-right display;
however, passwords are typically not displayed at all and are
rarely meant to be interoperable across different layout systems
in the way that non-secret strings like domain names and
usernames are. Furthermore, it is perfectly acceptable for
opaque strings other than passwords to be presented differently
in different layout systems, as long as the presentation is
consistent in any given layout system.
4.2.3. Comparison
An entity that performs comparison of two strings according to this
profile MUST prepare each string and enforce the rules specified in
the previous two sections. The two strings are to be considered
equivalent if they are an exact octet-for-octet match (sometimes
called "bit-string identity").
-->
<t>
<!--////Ask PSA if this is correct?-->
Normalize(str): Apply the Preparation and Enforcement steps according to the OpaqueString profile
(see <xref target="RFC7613"/>) to a UTF-8 <xref target='RFC3629'/> encoded "str".
The resulting string is also in UTF-8.
<!--////Is any of this needed?
When applying SASLPrep,
"str" is treated as a "stored strings", which means that unassigned
Unicode codepoints are prohibited (see Section 7 of <xref target='RFC3454'/>).
-->
Note that implementations MUST either implement OpaqueString profile operations from <xref target="RFC7613"/>,
or disallow use of non US-ASCII Unicode codepoints in "str". The latter is a particular case of compliance
with <xref target="RFC7613"/>.
</t>
<t>HMAC(key, str): Apply the HMAC keyed hash
algorithm (defined in <xref
target='RFC2104'/>) using the octet
string represented by "key" as the key and
the octet string "str" as the input string.
The size of the result is the hash result
size for the hash function in use. For
example, it is 32 octets for SHA-256 and
20 octets for SHA-1 (see
<xref target='RFC6234'/>).</t>
<t>H(str): Apply the cryptographic hash function
to the octet string "str", producing an
octet string as a result. The size of the
result depends on the hash result size for
the hash function in use.</t>
<t>XOR: Apply the exclusive-or operation to
combine the octet string on the left of this
operator with the octet string on the right
of this operator. The length of the output
and each of the two inputs will be the same
for this use.</t>
<t>Hi(str, salt, i):</t>
</list>
</t>
<figure>
<artwork>
<![CDATA[
U1 := HMAC(str, salt + INT(1))
U2 := HMAC(str, U1)
...
Ui-1 := HMAC(str, Ui-2)
Ui := HMAC(str, Ui-1)
Hi := U1 XOR U2 XOR ... XOR Ui
]]>
</artwork>
</figure>
<t>
<list style='empty'>
<t>where "i" is the iteration count, "+" is the
string concatenation operator and INT(g) is
a four-octet encoding of the integer g, most
significant octet first.</t>
<t>Hi() is, essentially, PBKDF2 <xref
target='RFC2898'/> with HMAC() as the
PRF and with dkLen == output length of
HMAC() == output length of H().</t>
</list>
</t>
</section>
</section>
<section title="Introduction">
<!--////Alexey: Compare this draft with the final version of SCRAM RFC.
Some text and ABNF might differ, which would be bad!-->
<!--////Alexey: Add a section emphasizing changes since RFC 5802, if any?-->
<t>This specification describes a family of authentication
mechanisms called the Salted Challenge Response
Authentication Mechanism (SCRAM) which addresses the
requirements necessary to deploy a challenge-response
mechanism more widely than past attempts (see <xref target='RFC5802'/>). When used in
combination with Transport Layer Security (TLS, see
<xref target='RFC5246'/>) or an equivalent security
layer, a mechanism from this family could improve the
status-quo for HTTP authentication.</t>
<t>HTTP SCRAM is adoptation of <xref target='RFC5802'/> for use in HTTP.
(SCRAM data exchanged is identical to what is defined in <xref target='RFC5802'/>.)
It also adds 1 round trip reauthentication mode.</t>
<t>HTTP SCRAM provides the following protocol features:
<list style='symbols'>
<t>The authentication information stored in the
authentication database is not sufficient by
itself (without a dictionary attack) to impersonate the client.
The information is salted to prevent a pre-stored
dictionary attack if the database is stolen.</t>
<t>The server does not gain the ability to
impersonate the client to other servers (with an
exception for server-authorized proxies).</t>
<!--////Is this actually true or is this related to the proxy authentication again?-->
<t>The mechanism permits the use of a
server-authorized proxy without requiring that
proxy to have super-user rights with the
back-end server.</t>
<t>Mutual authentication is supported, but only the
client is named (i.e., the server has no
name).</t>
<!--////Alexey: is this relevant for HTTP?
<t>When used as a SASL mechanism, SCRAM is capable of
transporting authorization identities (see
<xref target='RFC4422'/>, Section 2) from the client
to the server.
</t>
-->
</list>
</t>
<!--////Alexey: keep, but point to RFC 5802?
<t>For an in-depth discussion of why other challenge
response mechanisms are not considered sufficient, see
appendix A. For more information about the motivations
behind the design of this mechanism, see appendix B.</t>
-->
</section>
<section title="SCRAM Algorithm Overview" anchor='overview'>
<t>The following is a description of a full HTTP SCRAM authentication exchange.
Note that this section omits some details, such as client
and server nonces. See <xref target='protocol'/> for
more details.</t>
<t>To begin with, the SCRAM client is in possession of a username
and password (*) (or a ClientKey/ServerKey, or SaltedPassword).
It sends the username to the server,
which retrieves the corresponding authentication
information, i.e. a salt, StoredKey, ServerKey and the
iteration count i. (Note that a server implementation
may choose to use the same iteration count for all
accounts.) The server sends the salt and the iteration
count to the client, which then computes the following
values and sends a ClientProof to the server:</t>
<t>(*) - Note that both the username and the password MUST be encoded
in UTF-8 <xref target='RFC3629'/>.</t>
<t>Informative Note: Implementors are encouraged to create test cases
that use both username passwords with non-ASCII codepoints. In
particular, it's useful to test codepoints whose "Unicode Normalization
Form C" and "Unicode Normalization Form KC" are different. Some examples of
such codepoints include Vulgar Fraction One Half (U+00BD) and
Acute Accent (U+00B4).
</t>
<figure>
<artwork>
<![CDATA[
SaltedPassword := Hi(Normalize(password), salt, i)
ClientKey := HMAC(SaltedPassword, "Client Key")
StoredKey := H(ClientKey)
AuthMessage := client-first-message-bare + "," +
server-first-message + "," +
client-final-message-without-proof
ClientSignature := HMAC(StoredKey, AuthMessage)
ClientProof := ClientKey XOR ClientSignature
ServerKey := HMAC(SaltedPassword, "Server Key")
ServerSignature := HMAC(ServerKey, AuthMessage)
]]>
</artwork>
</figure>
<t>The server authenticates the client by computing the
ClientSignature, exclusive-ORing that with the
ClientProof to recover the ClientKey and verifying the
correctness of the ClientKey by applying the hash
function and comparing the result to the StoredKey. If
the ClientKey is correct, this proves that the client
has access to the user's password.</t>
<t>Similarly, the client authenticates the server by
computing the ServerSignature and comparing it to the
value sent by the server. If the two are equal, it
proves that the server had access to the user's
ServerKey.</t>
<t>For initial authentication the AuthMessage is computed by concatenating decoded "data"
attribute values from the authentication exchange. The format of these
messages is defined in <xref target='RFC5802'/>.</t>
</section>
<section anchor='mechname' title="SCRAM Mechanism Names">
<t>A SCRAM mechanism name (authentication scheme) is a string "SCRAM-" followed
by the uppercased name of the underlying hash function
taken from the IANA "Hash Function Textual Names"
registry (see http://www.iana.org)
<!--////Needed?
, optionally followed
by the suffix "-PLUS" (see below)
-->
.</t>
<t>For interoperability, all HTTP clients and servers supporting SCRAM MUST
implement the SCRAM-SHA-256 authentication mechanism,
i.e. an authentication mechanism from the SCRAM family
that uses the SHA-256 hash function as defined in <xref target="RFC7677"/>.</t>
<!--////Alexey: is this relevant here?
<t>The "-PLUS" suffix is used only when the server supports
channel binding to the external channel. If the server supports channel
binding, it will advertise both the "bare" and "plus" versions of
whatever mechanisms it supports (e.g., if the server supports only
SCRAM with SHA-256 then it will advertise support for both SCRAM-SHA-256
and SCRAM-SHA-256-PLUS); if the server does not support channel
binding, then it will advertise only the "bare" version of the
mechanism (e.g., only SCRAM-SHA-256). The "-PLUS" exists
to allow negotiation of the use of channel binding. See
<xref target="channel-binding"/>.</t>
-->
</section>
<section anchor='protocol' title="SCRAM Authentication Exchange">
<t>HTTP SCRAM is a HTTP Authentication mechanism whose client response (<credentials-scram>)
and server challenge (<challenge-scram>) messages are text-based messages containing one
or more attribute-value pairs separated by commas.
The messages and their attributes are described below and defined in <xref target='syntax'/>.</t>
<figure>
<artwork>
<![CDATA[
challenge-scram = scram-name [1*SP 1#auth-param]
; Complies with <challenge> ABNF from RFC 7235.
; Included in the WWW-Authenticate header field.
credentials-scram = scram-name [1*SP 1#auth-param]
; Complies with <credentials> from RFC 7235.
; Included in the Authorization header field.
scram-name = "SCRAM-SHA-256" / "SCRAM-SHA-1" / other-scram-name
; SCRAM-SHA-256 and SCRAM-SHA-1 are registered by this RFC.
;
; SCRAM-SHA-1 is registered for database compatibility
; with implementations of RFC 5802 (such as IMAP or XMPP
; servers), but it is not recommended for new deployments.
other-scram-name = "SCRAM-" hash-name
; hash-name is a capitalized form of names from IANA
; "Hash Function Textual Names" registry.
; Additional SCRAM names must be registered in both
; the IANA "SASL mechanisms" registry
; and the IANA "authentication scheme" registry.
]]>
</artwork>
</figure>
<t>
This is a simple example of a SCRAM-SHA-256 authentication exchange
(no support for channel bindings, as this feature is not currently supported by HTTP).
Username 'user' and password 'pencil' are used.
Note that long lines are folded for readability.</t>
<figure>
<artwork>
<![CDATA[
C: GET /resource HTTP/1.1
C: Host: server.example.com
C: [...]
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: Digest realm="realm1@example.com",
Digest realm="realm2@example.com",
Digest realm="realm3@example.com",
SCRAM-SHA-256 realm="realm3@example.com",
SCRAM-SHA-256 realm="testrealm@example.com"
S: [...]
C: GET /resource HTTP/1.1
C: Host: server.example.com
C: Authorization: SCRAM-SHA-256 realm="testrealm@example.com",
data=biwsbj11c2VyLHI9ck9wck5HZndFYmVSV2diTkVrcU8K
C: [...]
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: SCRAM-SHA-256
sid=AAAABBBBCCCCDDDD,
data=cj1yT3ByTkdmd0ViZVJXZ2JORWtxTyVodllEcFdVYTJSYVRDQWZ1eEZJbGo
paE5sRixzPVcyMlphSjBTTlk3c29Fc1VFamI2Z1E9PSxpPTQwOTYK
S: [...]
C: GET /resource HTTP/1.1
C: Host: server.example.com
C: Authorization: SCRAM-SHA-256 sid=AAAABBBBCCCCDDDD,
data=Yz1iaXdzLHI9ck9wck5HZndFYmVSV2diTkVrcU8laHZZRHBXVWEyUmFUQ0FmdXhG
SWxqKWhObEYscD1kSHpiWmFwV0lrNGpVaE4rVXRlOXl0YWc5empmTUhnc3FtbWl6
N0FuZFZRPQo=
C: [...]
S: HTTP/1.1 200 Ok
S: Authentication-Info: sid=AAAABBBBCCCCDDDD,
data=dj02cnJpVFJCaTIzV3BSUi93dHVwK21NaFVaVW4vZEI1bkxUSlJzamw5NUc0PQo=
S: [...Other header fields and resource body...]
]]>
</artwork>
</figure>
<t>
In the above example the first client request contains data attribute which base64 decodes as follows:
"n,,n=user,r=rOprNGfwEbeRWgbNEkqO" (with no quotes). Server then responds with data attribute
which base64 decodes as follows: "r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF,s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096".
The next client request contains data attribute which base64 decodes as follows:
"c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF,p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=".
The final server response contains a data attribute
which base64 decodes as follows: "v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=".
</t>
<t>Note that in the example above the client can also initiate SCRAM authentication
without first being prompted by the server.</t>
<!--////Alexey: reenable if this variant is going to be supported:
<t>With channel-binding data sent by the client this might look like
this (see <xref target="tls-server-end-point"/> for the definition of
tls-server-end-point TLS channel binding):</t>
<figure>
<artwork>
<![CDATA[
C: data=base64(p=tls-server-end-point,n=Chris Newman,r=ClientNonce)
S: data=base64(r=ClientNonceServerNonce,s=PxR/wv+epq,i=128)
C: data=base64(c=cD10bHMtc2VydmVyLWVuZC1wb2ludCwsy1hFtXOnZ+ySrQM6srFp
l/77uqvtxrg7nBY1BetEr/g=,r=ClientNonceServerNonce,p=Wx
Pv/siO5l+qxN4)
S: data=base64(v=WxPv/siO5l+qxN4)
]]>
</artwork>
<postamble><cref>Note that all hashes above are
fake and will be fixed during AUTH48.</cref></postamble>
</figure>
-->
<!--////Alexey: CLOSED ISSUE
Possibly include in the authentication exchange: HTTP Method, Request URI, Message body?
- No, TLS + channel binding can be used for that.
-->
<!--////Alexey: CLOSED ISSUE
Add "domain" attribute like in draft-oiwa and HTTP Digest?
- no particular reason to.
-->
<!--////Alexey: CLOSED ISSUE (as per Julian's suggestion in Berlin):
Does the "realm" attribute need to be repeated beyond the first response from the server/request to the server?
- it doesn't look like it, but check with the draft-oiwa-... and other HTTP authentication mechanisms.
-->
<!--////Alexey: CLOSED ISSUE
Can we modify the algorithm to avoid the need to store any HTTP state between different steps?
- Unlikely. It looks like draft-oiwa-httpbis-mutualauth had to use "sid" as well.
-->
<t>
Initial "SCRAM-SHA-256" authentication starts with sending the "Authorization" request header
field defined by HTTP/1.1, Part 7 <xref target="RFC7235"/>
containing "SCRAM-SHA-256" authentication scheme and the following attributes:
<list style='symbols'>
<t>
A "realm" attribute MAY be included to indicate the scope of
protection in the manner described in HTTP/1.1, Part 7
<xref target="RFC7235"/>.
As specified in <xref target="RFC7235"/>,
the "realm" attribute MUST NOT appear more than once.
The realm attribute only appears in the first SCRAM message to the server
and in the first SCRAM response from the server.
</t>
<t>
The client also includes the data attribute that contains base64 encoded
"client-first-message" <xref target="RFC5802"/> containing:
<list style='symbols'>
<t>
a header consisting of a flag indicating
whether channel binding is
supported-but-not-used, not supported, or used
<!--////Alexey: Is this too SASL specific?
Tony wanted it in the protocol!
, and an optional SASL authorization identity
-->
.
Note that this version of SCRAM doesn't support HTTP channel bindings, so this header always starts with "n";
<!--
that the header always starts
with "n", "y" or "p",
-->
otherwise the message is invalid and authentication MUST fail.
</t>
<t>SCRAM username and a random, unique nonce attributes.</t>
</list>
</t>
</list>
</t>
<t>In HTTP response, the server sends WWW-Authenticate header field
containing: a unique session identifier (the "sid" attribute)
plus the "data" attribute containing base64-encoded "server-first-message"
<xref target='RFC5802'/>. The "server-first-message" contains the user's iteration count i, the user's salt,
and the nonce with a concatenation of the client-specified one
with a server nonce.
<!--////CLOSED ISSUE:
<cref>OPEN ISSUE: Alternatively, the "sid" attribute can be another header field.</cref>
-->
</t>
<t>The client then responds with another HTTP request with the Authorization
header field, which includes the "sid" attribute received in the previous
server response, together with the "data" attribute containing base64-encoded "client-final-message" data.
The latter has the same nonce and a ClientProof computed using the selected
hash function (e.g. SHA-256) as explained earlier.</t>
<t>The server verifies the nonce and the proof,
<!--////SASL specific?
verifies that the authorization identity (if supplied by
the client in the first message) is authorized to act
as the authentication identity,
-->
and, finally, it
responds with a 200 HTTP response with the Authentication-Info header field <xref target="RFC7615"/>
containing the "sid" attribute (as received from the client) and the "data" attribute containing base64-encoded "server-final-message",
concluding the authentication exchange.</t>
<t>The client then authenticates
the server by computing the ServerSignature and
comparing it to the value sent by the server. If the
two are different, the client MUST consider the
authentication exchange to be unsuccessful and it might
have to drop the connection.</t>
<section title="One round trip reauthentication">
<t>
If the server supports SCRAM reauthentication,
the server sends in its initial HTTP response a WWW-Authenticate header field
containing: the "realm" attribute (as defined earlier),
the "sr" attribute that contains the server part of the "r" attribute (see s-nonce in <xref target='RFC5802'/>)
and optional "ttl" attribute (which contains the "sr" value validity in seconds).
</t>
<t>
If the client has authenticated to the same realm before (i.e. it remembers
"i" and "s" attributes for the user from earlier authentication exchanges
with the server), it can respond to that with "client-final-message".
When constructing the "client-final-message" the client constructs the c-nonce
part of the "r" attribute as on initial authentication and the s-nonce
part as follows: s-nonce is a concatenation of nonce-count
and the "sr" attribute (in that order). The nonce-count is a positive integer that
that is equal to the user's "i" attribute on first reauthentication and
is incremented by 1 on each successful re-authentication.
<list>
<t>
The purpose of the nonce-count is to allow the server to detect request replays by
maintaining its own copy of this count - if the same nonce-count value is
seen twice, then the request is a replay.
</t>
</list>
</t>
<t>
If the server considers the s-nonce part of the nonce attribute (the "r" attribute)
to be still valid (i.e. the nonce-count part is as expected (see above) and the "sr" part is still fresh),
it will provide access to the requested resource (assuming
the client hash verifies correctly, of course).
However if the server considers that the server part of the nonce is stale
(for example if the "sr" value is used after the "ttl" seconds), the server
returns "401 Unauthorized" containing the SCRAM mechanism name with the following attributes:
a new "sr", "stale=true" and an optional "ttl".
The "stale" attribute signals to the client that there is no need to ask user for the password.
<list>
<t>
Formally, the "stale" attribute is defined as follows:
A flag, indicating that the previous request from the client was
rejected because the nonce value was stale. If stale is TRUE
(case-insensitive), the client may wish to simply retry the request
with a new encrypted response, without reprompting the user for a
new username and password. The server should only set stale to TRUE
if it receives a request for which the nonce is invalid but with a
valid digest for that nonce (indicating that the client knows the
correct username/password). If stale is FALSE, or anything other
than TRUE, or the stale directive is not present, the username
and/or password are invalid, and new values must be obtained.
</t>
</list>
</t>
<t>When constructing AuthMessage <xref target='overview'/> to be used for calculating client and server proofs,
"client-first-message-bare" and "server-first-message" are reconstructed from
data known to the client and the server.
</t>
<t>Reauthentication can look like this:</t>
<figure>
<artwork>
<![CDATA[
C: GET /resource HTTP/1.1
C: Host: server.example.com
C: [...]
S: HTTP/1.1 401 Unauthorized
S: WWW-Authenticate: Digest realm="realm1@example.com",
Digest realm="realm2@example.com",
Digest realm="realm3@example.com",
SCRAM-SHA-256 realm="realm3@example.com",
SCRAM-SHA-256 realm="testrealm@example.com", sr=%hvYDpWUa2RaTCAfuxFIlj)hNlF
SCRAM-SHA-256 realm="testrealm2@example.com", sr=AAABBBCCCDDD, ttl=120
S: [...]
[Client authenticates as usual to realm "testrealm@example.com"]
[Some time later client decides to reauthenticate.
It will use the cached "i" (4096) and "s" (W22ZaJ0SNY7soEsUEjb6gQ==)
from earlier exchanges. It will use the nonce-value of 4096 together
with the server advertised "sr" value as the server part of the "r".]
C: GET /resource HTTP/1.1
C: Host: server.example.com
C: Authorization: SCRAM-SHA-256 realm="testrealm@example.com",
data=Yz1iaXdzLHI9ck9wck5HZndFYmVSV2diTkVrcU80MDk2JWh2WURwV1VhMlJhVENB
ZnV4RklsailoTmxGLHA9ZEh6YlphcFdJazRqVWhOK1V0ZTl5dGFnOXpqZk1IZ3Nx
bW1pejdBbmRWUT0K
C: [...]
S: HTTP/1.1 200 Ok
S: Authentication-Info: sid=AAAABBBBCCCCDDDD,
data=dj02cnJpVFJCaTIzV3BSUi93dHVwK21NaFVaVW4vZEI1bkxUSlJzamw5NUc0PQo=
S: [...Other header fields and resource body...]
]]>
</artwork>
<!--////Alexey: Hashes are incorrect, due to the addition of the nonce-count!!!-->
</figure>
</section>
</section>
<!--////Add this back if we want the -PLUS variant?
<section anchor='channel-binding' title="Channel Binding">
<t>SCRAM supports channel binding to external secure
channels, such as TLS. Clients and servers may or may
not support channel binding, therefore the use of
channel binding is negotiable. SCRAM does not provide
security layers, however, therefore it is imperative
that SCRAM provide integrity protection for the
negotiation of channel binding.</t>
<t>Use of channel binding is negotiated as follows:
<list style='symbols'>
<t>Servers SHOULD advertise both non-PLUS (SCRAM-<hash-function>)
and the PLUS-variant (SCRAM-<hash-function>-PLUS)
SASL mechanism names. If the server cannot support channel binding, it MAY
advertise only the non-PLUS variant. If the server would never
succeed authentication of the non-PLUS variant due to policy reasons,
it MAY advertise only the PLUS-variant.</t>
<t>If the client negotiates mechanisms then the client
MUST select SCRAM-<hash-function>-PLUS if offered
by the server and the client wants to select SCRAM with
the given hash function.
////As per Nico: possibly remove the following text:
Otherwise (the client does not negotiate mechanisms),
if the client has no prior knowledge about mechanisms supported
by the server and wasn't explicitly configured to use a particular
variant of the SCRAM mechanism, then it MUST select
only SCRAM-<hash-function> (not suffixed with "-PLUS").</t>
<t>If the client supports channel binding and the server appears to
support it (i.e., the client sees SCRAM-<hash-function>-PLUS),
or if the client wishes to use channel binding but the client does not
negotiate mechanisms, then the client MUST set the GS2 channel
binding flag to "p" in order to indicate the channel binding type it is
using and it MUST include the channel
binding data for the external channel in the
computation of the "c=" attribute (see <xref
target='RFC5802'/>).</t>
<t>If the client supports channel binding but the
server does not appear to (i.e., the client did not see SCRAM-<hash-function>-PLUS)
then the client MUST either fail authentication or it
MUST choose the non-PLUS mechanism and set the GS2
channel binding flag to "y" and MUST NOT include
channel binding data for the external channel in
the computation of the "c=" attribute (see <xref
target='RFC5802'/>).</t>
<t>If the client does not support channel binding
then the client MUST set the GS2 channel binding
flag to "n" and MUST NOT include channel binding
data for the external channel in the computation
of the "c=" attribute (see <xref
target='RFC5802'/>).</t>
<t>Upon receipt of the client first message
the server checks the GS2 channel binding flag (gs2-cb-flag).
<list style='symbols'>
<t>If the flag is set to "y" and
the server supports channel binding the server
MUST fail authentication. This is because if
the client sets the GS2 channel binding flag set
to "y" then the client must have believed that
the server did not support channel binding - if
the server did in fact support channel binding
then this is an indication that there has been a
downgrade attack (e.g., an attacker changed the
server's mechanism list to exclude the -PLUS
suffixed SCRAM mechanism name(s)).</t>
<t>If the channel binding flag was "p" and the
server does not support the indicated channel binding type
then the server MUST fail authentication.</t>
</list>
</t>
</list>
</t>
<t>The server MUST always validate the client's "c=" field.
The server does this by constructing the value of the
"c=" attribute and then checking that it matches the
client's c= attribute value.</t>
<t>
For more discussions of channel bindings, and the syntax of the
channel binding data for various security protocols, see <xref target="RFC5056"/>.
</t>
<section title="Default Channel Binding">
<t>A default channel binding type agreement process for all SASL
application protocols that do not provide their own channel binding
type agreement is provided as follows.
</t>
<t>'tls-unique' is the default channel binding type for any
application that doesn't specify one.
</t>
<t>Servers MUST implement the "tls-unique" <xref target="RFC5929"/>
channel binding type, if they implement any channel binding.
Clients SHOULD implement the "tls-unique" <xref target="RFC5929"/>
channel binding type, if they implement any channel binding.
Clients and servers SHOULD choose the highest-
layer/innermost end-to-end TLS channel as the channel to bind to.
</t>
<t>
Servers MUST choose the channel binding type indicated by the
client, or fail authentication if they don't support it.
</t>
</section>
</section>
-->
<section title="Use of Authentication-Info header field with SCRAM">
<t>When used with SCRAM, the Authentication-Info header field is allowed
in the trailer of an HTTP message transferred via chunked transfer-coding.</t>
</section>
<section anchor='syntax' title="Formal Syntax">
<t>The following syntax specification uses the Augmented
Backus-Naur Form (ABNF) notation as specified in <xref
target='RFC5234'/>. The "UTF8-2", "UTF8-3" and "UTF8-4"
non-terminals are defined in <xref target='RFC3629'/>.</t>
<figure><artwork type='abnf'>
<![CDATA[
ALPHA = <as defined in RFC 5234 appendix B.1>
DIGIT = <as defined in RFC 5234 appendix B.1>
base64-char = ALPHA / DIGIT / "/" / "+"
base64-4 = 4base64-char
base64-3 = 3base64-char "="
base64-2 = 2base64-char "=="
base64 = *base64-4 [base64-3 / base64-2]
sr = "sr=" s-nonce
;; s-nonce is defined in RFC 5802.
data = "data=" base64
;; The data attribute value is base64 encoded
;; SCRAM challenge or response defined in
;; RFC 5802.
ttl = "ttl" = 1*DIGIT
;; "sr" value validity in seconds.
;; No leading 0s.
reauth-s-nonce = nonce-count s-nonce
nonce-count = posit-number
;; posit-number is defined in RFC 5802.
;; The initial value is taken from the "i"
;; attribute for the user and is incremented
;; by 1 on each successful re-authentication.
sid = "sid=" token
;; See token definition in RFC 7235.
stale = "stale=" ( "true" / "false" )
realm = "realm=" <as defined in RFC 7235>
]]>
</artwork>
</figure>
</section>
<section title="Security Considerations">
<t>If the authentication exchange is performed without a
strong session encryption (such as TLS with data confidentiality),
then a passive eavesdropper can
gain sufficient information to mount an offline
dictionary or brute-force attack which can be used to
recover the user's password. The amount of time
necessary for this attack depends on the cryptographic
hash function selected, the strength of the password and
the iteration count supplied by the server.
SCRAM allows the server/server administrator to increase the iteration count over time in order to slow down the above attacks.
(Note that
a server that is only in posession of "StoredKey" and
"ServerKey" can't automatic increase the iteration count
upon successful authentication. Such increase would
require resetting user's password.)
An external
security layer with strong encryption will prevent these
attack.</t>
<t>If the authentication information is stolen from the
authentication database, then an offline dictionary or
brute-force attack can be used to recover the user's
password. The use of salt mitigates this attack somewhat
by requiring a separate attack on each password.
Authentication mechanisms which protect against this
attack are available (e.g., the EKE class of
mechanisms). RFC 2945 <xref target="RFC2945"/> is
an example of such technology.
</t>
<t>If an attacker obtains the authentication information
from the authentication repository and either eavesdrops
on one authentication exchange or impersonates a server,
the attacker gains the ability to impersonate that user
to all servers providing SCRAM access using the same
hash function, password, iteration count and salt. For
this reason, it is important to use randomly-generated
salt values.</t>
<t>SCRAM does not negotiate a hash function to use. Hash
function negotiation is left to the HTTP authentication mechanism
negotiation. It is important that clients be able to
sort a locally available list of mechanisms by
preference so that the client may pick the most
preferred of a server's advertised mechanism list. This
preference order is not specified here as it is a local
matter. The preference order should include objective
and subjective notions of mechanism cryptographic
strength (e.g., SCRAM with a successor to SHA-1 may be
preferred over SCRAM with SHA-1).</t>
<!--////Alexey:
<t>Note that to protect the SASL mechanism negotiation
applications normally must list the server mechs twice:
once before and once after authentication, the latter
using security layers. Since SCRAM does not provide
security layers the only ways to protect the mechanism
negotiation are: a) use channel binding to an external
channel, or b) use an external channel that
authenticates a user-provided server name.</t>
-->
<!--Not yet supported in HTTP:
<t>
SCRAM does not protect against downgrade attacks of channel binding
types. The complexities of negotiation a channel binding type, and
handling down-grade attacks in that negotiation, was intentionally
left out of scope for this document.
</t>
-->
<t>A hostile server can perform a computational
denial-of-service attack on clients by sending a big
iteration count value.</t>
<t>
See <xref target="RFC4086"/> for more information about generating randomness.
</t>
<t>This document recommends use of SCRAM with SHA-256 hash.
SCRAM-SHA-1 is registered for database compatibility
with implementations of RFC 5802 (such as IMAP or XMPP
servers) which want to also expose HTTP access to a related service,
but it is not recommended for new deployments.
<!--////Add more text on why SHA-1 is weak here-->
</t>
</section>
<section anchor='iana' title="IANA Considerations">
<t>
New mechanisms in the SCRAM- family are registered according to the IANA procedure
specified in <xref target='RFC5802'/>.</t>
<t>Note to future SCRAM- mechanism designers: each new
SCRAM- HTTP authentication mechanism MUST be explicitly registered
with IANA and MUST comply with SCRAM- mechanism
naming convention defined in <xref target='mechname'/>
of this document.</t>
<t>IANA is requested to add the following entry to the
Authentication Scheme Registry defined in HTTP/1.1, Part 7
<xref target="RFC7235"/>:</t>
<figure>
<artwork>
<![CDATA[
Authentication Scheme Name: SCRAM-SHA-256
Pointer to specification text: [[ this document ]]
Notes (optional): (none)
]]>
</artwork>
</figure>
<figure>
<artwork>
<![CDATA[
Authentication Scheme Name: SCRAM-SHA-1
Pointer to specification text: [[ this document ]]
Notes (optional): (none)
]]>
</artwork>
</figure>
</section>
<section title="Acknowledgements">
<t>This document benefited from discussions on the HTTPAuth, SASL and Kitten WG mailing lists.
The authors would like to specially thank co-authors of <xref target="RFC5802"/>
from which lots of text was copied.</t>
<t>Thank you to Martin Thomson for the idea of adding "ttl" attribute.</t>
<t>Thank you to Julian F. Reschke for corrections regarding use of Authentication-Info header field.</t>
<t>Special thank you to Tony Hansen for doing an early implementation and providing extensive comments on the draft.</t>
</section>
<!--////Alexey: Keep but update to talk about HTTP Auth instead of SASL, e.g. HTTP Digest/Basic and possibly NTLM?
<appendix title="Other Authentication Mechanisms" anchor='past-attempts'>
<t>The DIGEST-MD5 <xref
target='I-D.ietf-sasl-digest-to-historic'/>
mechanism has proved to be too complex to implement and
test, and thus has poor interoperability. The security
layer is often not implemented, and almost never used;
everyone uses TLS instead. For a more complete list of
problems with DIGEST-MD5 which lead to the creation of
SCRAM see <xref
target='I-D.ietf-sasl-digest-to-historic'/>.</t>
<t>The CRAM-MD5 SASL mechanism, while widely deployed has
also some problems, in particular it is missing some
modern SASL features such as support for
internationalized usernames and passwords, support for
passing of authorization identity, support for channel
bindings. It also doesn't support server authentication.
For a more complete list of problems with CRAM-MD5 see
<xref target='I-D.ietf-sasl-crammd5-to-historic'/>.</t>
<t>The PLAIN <xref target='RFC4616'/> SASL mechanism allows
a malicious server or eavesdropper to impersonate the
authenticating user to any other server for which the
user has the same password. It also sends the password
in the clear over the network, unless TLS is used.
Server authentication is not supported.</t>
</appendix>
-->
<section title="Design Motivations" anchor='goals'>
<t>
The following design goals shaped this document. Note that some of the goals
have changed since the initial version of the document.
<list style='symbols'>
<t>The HTTP authentication mechanism has all modern features: support for internationalized
usernames and passwords, support for channel bindings.
</t>
<t>
The protocol supports mutual authentication.
</t>
<t>
The authentication information stored in the authentication
database is not sufficient by itself to impersonate the client.
</t>
<t>
The server does not gain the ability to impersonate the client to
other servers (with an exception for server-authorized proxies),
unless such other servers allow SCRAM authentication and use
the same salt and iteration count for the user.
</t>
<t>
The mechanism is extensible, but [hopefully] not overengineered in this respect.
</t>
<t>
Easier to implement than HTTP Digest in both clients and servers.
</t>
</list>
</t>
</section>
<!--
<section title="Internet-Draft Change History">
<t>(RFC Editor: Please delete this section and all subsections.)</t>
<t>Changes since -00
<list style='symbols'>
<t></t>
</list>
</t>
</section>
-->
</middle>
<back>
<references title="Normative References">
&rfc2104;
&rfc2119;
&rfc3454;
&rfc3629;
&rfc4013;
&rfc4648;
&rfc5056;
&rfc5234;
&rfc5802;
&rfc5929;
&rfc6234;
&rfc7235;
&rfc7613;
&rfc7615;
&rfc7677;
</references>
<references title="Informative References">
&rfc2865;
&rfc2898;
&rfc2945;
&rfc4510;
&rfc4616;
&rfc4949;
&rfc4086;
&rfc5226;
&rfc5246;
<reference anchor="tls-server-end-point">
<front>
<title>Registration of TLS server end-point channel bindings</title>
<author surname="Zhu, L."><organization/></author>
<date month="July" year="2008"/>
</front>
<seriesInfo name="IANA" value="http://www.iana.org/assignments/channel-binding-types/tls-server-end-point"/>
<format type="TXT" target="http://www.iana.org/assignments/channel-binding-types/tls-server-end-point"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 11:13:09 |