Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports

[Neustradamus]

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

SCRAM-SHA-1(-PLUS):

• https://tools.ietf.org/html/rfc5802
• https://tools.ietf.org/html/rfc6120

SCRAM-SHA-256(-PLUS):

• https://tools.ietf.org/html/rfc7677 since 2015-11-02
• https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

In more than

• SCRAM-SHA-1
• SCRAM-SHA-256

It is possible to add?

• SCRAM-SHA-1-PLUS
• SCRAM-SHA-224(-PLUS)
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-384(-PLUS)
• SCRAM-SHA-512(-PLUS)

Linked to:

• State of Play scram-sasl/info#1
• Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports #552
• RFC 9266: Channel Bindings for TLS 1.3 support #742
• RFC 9266: Channel Bindings for TLS 1.3 support cyrus-imapd#4191

[ksmurchison]

We can add 224, 384, 512 easily since OpenSSL now appears to support them in the EVP API.
-PLUS will take more work. A PR would be appreciated.

[Neustradamus]

Good if you can add a better SHA-2 family (SHA-224, SHA-384, SHA-512) :)

I think, it will be possible to have SHA-3 family (SHA3-224, SHA3-256, SHA3-384, SHA3-512) too?

Who could see for -PLUS variant part?

Have you looked for the documentation?

• There is a problem in documentations, please update documentations #549

[Neustradamus]

@ksmurchison: Thanks for SCRAM-SHA-224, SCRAM-SHA-384, SCRAM-SHA-512!

Now there are SCRAM-SHA-1, SCRAM-SHA-224, SCRAM-SHA-256, SCRAM-SHA-384, SCRAM-SHA-512 :)

Have you looked for SCRAM-SHA3?

[Neustradamus]

@dhawes: Please look:

• https://github.com/cyrusimap/cyrus-sasl/commits/master
  -- Commits from Sep 2, 2019
  -- Commits from Sep 4, 2019

Thanks a lot to @aamelnikov and @ksmurchison too.

[Neustradamus]

@aamelnikov, @ksmurchison: There is a problem, can you look?

• SCRAM-SHA-1 + SCRAM-SHA-256 + SCRAM-SHA-512 supports vt-middleware/ldaptive#153 (comment)

[SamWhited]

I'd like to push back on this a bit; adding the PLUS variants of SCRAM-SHA1 and SCRAM-SHA-256 would be great, but the other mechanisms that the OP mentions are not part of the SCRAM family of mechanisms, and are not defined in any IETF standard. That is to say, there is no such mechanism as SCRAM-SHA-512 or SCRAM-SHA-384. Since they are not supported by most SCRAM clients and do not provide any known security benefit over either of the other SCRAM mechanisms (since the hash is just used in an HMAC so only pre-image attacks would matter), please consider removing these mechanisms or at least disabling them by default.

If the mechanisms are left in, and eventually a SCRAM-SHA-512 mechanism is created by the IETF but it differs somehow from the other mechanisms, you will have an incompatible version. This also may encourage other developers to implement the non-standard mechanism and/or to not support the actual standardized mechanisms out of some misguided idea that bigger numbers means that it is somehow "more secure". We don't want to have to clean up a mess later, or encourage other SCRAM stacks to invent their own mechanisms which may only work with one or two clients and servers when safe, standardized, mechanisms have already been thought through by a group with expertise in these matters.

TL;DR let's not make up our own crypto, it's dangerous. Please trust the experts and wait until the IETF reviews and standardizes a new mechanism before implementing it.

Thanks for your consideration.

[Neustradamus]

SCRAM-SHA-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha-512

SCRAM-SHA3-512(-PLUS):

• https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

[SamWhited]

Those are I-Ds, not RFCs. They are IDs by a well respected author, and if they are ever accepted then we should use them. In the mean time let's not make up our own crypto, it's bad practice.

[Neustradamus]

@SamWhited: It will be validated soon :)
A good job from @aamelnikov.
In several RFCs, there are some links to draft before RFC.

[SamWhited]

I certainly hope so, and when it is then we can use them, as I've said on every other issue where you've pushed people to make up their own auth mechanisms for some reason.

[Neustradamus]

@SamWhited: Do not forget that the code for SCRAM in Cyrus SASL has been done by the author of the SCRAM RFCs himself @aamelnikov and by @ksmurchison too.

[Neustradamus]

A lot of projects have already SCRAM-SHA-512: https://www.google.com/search?q=SCRAM-SHA-512

[SamWhited]

I'm sure the code is fine, and I'm very excited they're writing I-Ds to update the registry, I'm pushing back against implementing them and encouraging others to use non-standardized mechanisms before we're sure what the final version of those mechanisms looks like. Chances are they won't change, and I'll be very excited to see these mechanisms implemented once they are in the registry.

A lot of projects implementing it doesn't mean it's a good idea, and most mainstream services don't implement it, so you're not even getting any sort of compatibility befit from rushing an implementation.

[quanah]

I see no major issue here. Any pull request should be against the master (development) branch, and not against the 2.1 release branch. I would suggest putting the non-finalized RFC versions behind an IFDEF that can be flagged at compile time for people who want to enable/experiment with them. If the finalized form differs, we can fix and unifdef them for them to be officially supported. It is quite common for draft form RFCs to be implemented in software while the draft is finalized (For example, see password policy support found in most all LDAP projects, despite it still being in draft form).

[SamWhited]

I would suggest putting the non-finalized RFC versions behind an IFDEF that can be flagged at compile time for people who want to enable/experiment with them.

Putting them behind an IFDEF seems good enough to me.

[Neustradamus]

It is official, it is here: RFC 9266: Channel Bindings for TLS 1.3:

• https://tools.ietf.org/html/rfc9266

Thanks @SamWhited.

[Neustradamus]

@aamelnikov, @ksmurchison, @quanah, @hyc, @bgermann: It is possible to add SCRAM-SHA3-512?

Can you see for Channel Binding too?

• RFC 9266: Channel Bindings for TLS 1.3 support #742

Thanks in advance.

[Neustradamus]

Dear @cyrusimap team, @aamelnikov, @ksmurchison, @quanah, @hyc, @bgermann, @dilyanpalauzov, @iboukris, @simo5,

Can you look for Channel Binding for TLS 1.3 support?

There is a recent history with jabber.ru MITM and SCRAM-SHA-*-PLUS is the security solution!

Some sources about jabber.ru:

• https://notes.valdikss.org.ru/jabber.ru-mitm/
• https://snikket.org/blog/on-the-jabber-ru-mitm/
• https://www.devever.net/~hl/xmpp-incident
• https://blog.jmp.chat/b/certwatch

Thanks in advance.

Linked to:

• Add SCRAM-SHA-1-PLUS, SCRAM-SHA-224-PLUS, SCRAM-SHA-256-PLUS, SCRAM-SHA-384-PLUS, SCRAM-SHA-512-PLUS, SCRAM-SHA3-512(-PLUS) supports #552
• RFC 9266: Channel Bindings for TLS 1.3 support #742
• RFC 9266: Channel Bindings for TLS 1.3 support cyrus-imapd#4191