-
-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512-PLUS + SCRAM-SHA3-512(-PLUS) supports #1
Comments
Currently, I have SCRAM-SHA-1, SCRAM-SHA256 and SCRAM-SHA-512 implemented. The 224 and 384 variants could be implemented rather easily. SHA3-512 would require another library that I am not sure I would like to pull in just for SCRAM. The PLUS variants cannot be implemented since the TLS implementation of Dart doesn't give me access to features like channel binding. |
I would ignore Not very related, but... it's nice to see a fresh XMPP client! In case you find them useful, here are a few resources:
|
@mwild1 I know, I have seen these issues around. I am aware that SHA-1 is still sufficiently secure but I thought that it didn't hurt since you get SCRAM-SHA-{256,512} basically for free if you implement it using SHA-1. I have to admit that I was influenced by the XMPP wiki page about SCRAM. Removing it now probably makes no sense since it is already there but not being able to test it against an actual implementation makes me a bit uncomfortable. The fact about the deployment of other SCRAM variants is also the reason why I am reluctant about pulling in another crypto library just for SCRAM-SHA3-512 and so on (until I have to be compliant with XEP-0414). But thank you for the additional information, though I do already know of them. I've had the idea of a new XMPP client not just since yesterday 😄 |
Note that a lot of people have TLS 1.2, add -PLUS variants have been integrated in libs/softwares/products. Example: PostegreSQL supports with and without -PLUS. Note that GnuTLS supports already TLS Binding with TLS 1.3. You can see libs/softwares which use different SCRAM protocols, here: scram-sasl/info#1 Note that some XMPP projects do not want to add other SCRAM that SCRAM-SHA-1. In few weeks, Prosody 0.12.x will have SCRAM-SHA-256.
Edit: SCRAM BIS: https://tools.ietf.org/html/draft-melnikov-scram-bis speaks about SCRAM-SHA-(1-256-512)(-PLUS) and SCRAM-SHA3-(512)(-PLUS) and TLS 1.2 and TLS 1.3. |
@PapaTutuWawa: Please note that to have only SCRAM-SHA-1 support does not permit to all users to connect on XMPP Servers ;) |
@Neustradamus I understand that, but at the moment I view just having SCRAM-SHA-{1,256,512} as enough, judging by the stats of the XMPP observatory. This doesn't mean I refuse to implement the "missing" ones, but at the moment my code has issues with much higher priority. If anyone tries to use my client on a server that does not offer one of the already mentioned SCRAM methods, then I will gladly implement them, as long as it's not *-MD5 or any of the *-PLUS variants. |
@PapaTutuWawa: Thanks for your reply, you can test here: |
@PapaTutuWawa: It is official for TLS 1.3 Binding!
Details:
Linked to: |
@Neustradamus I have now implemented (and fixed) the SHA-256 and SHA-512 variants. Channel binding is not implemented since I still cannot access the TLS data required to do so. |
Thanks for your improvements! Hard to add SHA3-512? Yes, you need to wait for -PLUS variants... |
No, but I don't want to pull in another library (my current crypto library does not implement SHA3) just for SCRAM-SHA3. |
To have compatibility with XMPP Servers and after:
Can you add supports of :
"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".
SCRAM-SHA-1(-PLUS):
-- https://tools.ietf.org/html/rfc5802
-- https://tools.ietf.org/html/rfc6120
SCRAM-SHA-256(-PLUS):
-- https://tools.ietf.org/html/rfc7677 since 2015-11-02
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
SCRAM-SHA-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
SCRAM-SHA3-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
-- https://tools.ietf.org/html/draft-melnikov-scram-bis
https://xmpp.org/extensions/inbox/hash-recommendations.html
-PLUS variants:
IMAP:
LDAP:
HTTP:
2FA:
IANA:
Linked to:
The text was updated successfully, but these errors were encountered: