SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512-PLUS + SCRAM-SHA3-512(-PLUS) supports #71
Comments
|
I can consider adding support for the SCRAM-SHA-1 and SCRAM-SHA-256 authentication mechanisms. I don’t believe that it’s feasible to add support for the PLUS variants at this time because it does not appear that Java SE includes support for channel binding. It may be possible to get that through other libraries, like the one that Bouncy Castle provides, but the LDAP SDK does not and will not ever require any external dependencies other than Java SE, so that’s not an option. However, the LDAP SDK’s SASL support is extensible, so if that’s a deal-breaker, then anyone could implement support for the algorithms on their own if necessary. I’ve been very hesitant to add support for these mechanisms in the past because I do not believe that they are secure. I’ll grant you that they’re better than CRAM-MD5 and DIGEST-MD5, but that’s an extremely low bar, and those mechanisms are only supported for legacy purposes. I’m not going to remove them from the LDAP SDK for the sake of backward compatibility, but I would also never recommend their use. The primary benefit that the SCRAM mechanisms claim over other mechanisms (like LDAP simple binds, or the PLAIN SASL mechanism), is that the client never directly provides the password to the server, but instead only provides proof that it knows the password. There are two potential upsides to this:
Presumably, the client has no insight into whether the server stores the password in a reversible or partially-computed form, and therefore if it doesn’t trust the server with the password at authentication time, it may not actually be deriving any benefit from using a SCRAM-based mechanism because the server might have access to it anyway. But either case leads to very bad news in the case of a data breach. If the passwords are stored in a reversible form, then there’s a very good chance that the attacker also got the information needed to reverse them and now has access to the clear-text passwords. If the passwords are stored in the pre-computed form, then that’s even worse because you can guarantee that the attacker has what they need to authenticate to the server (at least using a SCRAM-based mechanism) because that pre-computed form is even better than the clear-text password because it requires even less effort on the attacker’s part to use it. There are other serious security-related side effects if the server is going to support these algorithms. Off the top of my head, the two biggest ones are:
Like I said, I’ll go ahead and look into adding support for SCRAM-SHA-1 and SCRAM-SHA-256. I wouldn’t have done so without a request because of the security problems outlined above, but the work to support them really isn’t all that substantial. But I would recommend against actually using these authentication mechanisms unless you need them for legacy purposes. Using LDAP simple authentication or SASL PLAIN over a TLS-encrypted connection is just as strong and gives the server much better options for securing the passwords. |
|
-PLUS variants and Java: https://bugs.openjdk.java.net/browse/JDK-6491070 Yes you can already add support for SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512? |
|
I've just committed a change that adds client-side support for the SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512 SASL mechanisms. Please test it and let me know if it works. |
|
Thanks @dirmgr! @jerboaa: About: https://bugs.openjdk.java.net/browse/JDK-6491070, it is done? |
|
Note that even if Java SE adds support for channel binding in a future release, the LDAP SDK is not likely to be updated to make use of it. The LDAP SDK currently offers support for Java SE 7 and later, and because we have customers using it on those older platforms, we have no plans to drop that support any time soon. However, the LDAP SDK is extensible, and you're certainly free to implement your own support for SASL mechanisms that do make use of channel binding. |
|
FYI, LDAP SDK version 4.0.12 has been released and includes client-side support for the SCRAM-SHA-1, SCRAM-SHA-256, and SCRAM-SHA-512 SASL mechanisms. |
Neustradamus
changed the title
|
@dirmgr: I have changed the name for have only missing parts :) |
|
@dirmgr: Why not used BouncyCastle for TLS binding like Tigase? |
|
The LDAP SDK does not now and will not ever require any third-party dependencies beside what's in Java SE (and currently limited to what's in Java SE 7). However, even if third-party dependencies were acceptable, the Bouncy Castle library is likely not one that would ever be used directly because of concerns around U.S. export control laws regarding strong encryption. When you couple these restrictions with my strong negative opinions regarding the SCRAM SASL mechanisms as outlined above, it is extremely unlikely that the LDAP SDK will ever implement support for the SCRAM-x-PLUS SASL mechanisms. However, as I've pointed out above, the LDAP SDK does expose APIs for implementing support for SASL mechanisms in your own code, and you're certainly free to use the code I've already provided for implementing SCRAM support without channel binding (as long as you comply with the license for that code), along with whatever additional libraries you wish. |
|
@dirmgr: Thanks for your improvements of this year about SCRAM :) But I hope one day about -PLUS variants directly... |
Neustradamus
changed the title
Neustradamus
changed the title
|
@dirmgr: Have you seen the RFC9266?
For SCRAM-SHA3-512, it is possible too? Thanks in advance. Linked to: |
|
@dirmgr: Can you look for Channel Binding support? There is a recent history with jabber.ru MITM and SCRAM-SHA-*-PLUS is the security solution! Some sources about jabber.ru:
Thanks in advance. |
RFC8600:
SCRAM-SHA-1(-PLUS):
SCRAM-SHA-256(-PLUS):
SCRAM-SHA-512(-PLUS):
SCRAM-SHA3-512(-PLUS):
SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
-PLUS variants:
IMAP:
LDAP:
HTTP:
JMAP:
2FA:
IANA:
Linked to:
The text was updated successfully, but these errors were encountered: