Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #182

Closed
Neustradamus opened this issue Jan 8, 2022 · 7 comments
Closed

SCRAM-SHA-1-PLUS + SCRAM-SHA-256-PLUS + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #182

Neustradamus opened this issue Jan 8, 2022 · 7 comments
Labels
wontfix This will not be worked on

Comments

@Neustradamus
Copy link

Neustradamus commented Jan 8, 2022
edited

Dear @the-djmaze,

In first, I wish you a Happy New Year!

Thanks a lot for your SCRAM-SHA-1 and SCRAM-SHA-256 adding! :)

After:

  • SCRAM-SHA-1
  • SCRAM-SHA-256

Can you add supports of :

  • SCRAM-SHA-1-PLUS
  • SCRAM-SHA-256-PLUS
  • SCRAM-SHA-512
  • SCRAM-SHA-512-PLUS
  • SCRAM-SHA3-512
  • SCRAM-SHA3-512-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

IMAP:

LDAP:

  • RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

2FA:

IANA:

Linked to:
@the-djmaze
Copy link
Owner

the-djmaze commented Jan 8, 2022
edited

Thanks, and a good 2022 to you as wel.

SCRAM-SHA-512 should work as scram.php detects it.

The PLUS versions however are difficult due to the required gs2 header which is inside TLS stream (we have no access to it).

On the other side: sha and md5 should not be used as it actually relies on plain/hash passwords stored on the server.
In 2022 it is very insecure to store passwords in plain text or md5/sha.

Passwords should be stored in bcrypt, balloon or argon2 (but scram will not work in these cases).

So basically always use TLS 1.3 connections unless the connection is 127.0.0.1

the-djmaze pushed a commit that referenced this issue Jan 8, 2022
SHA-512 #182
29fa090
@Neustradamus
Copy link
Author

@the-djmaze: Thanks for your SCRAM-SHA-512 :)

Please read here about SCRAM: https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/how-to-securely-authenticate-with-scram-in-postgres-13/ba-p/1548319

@the-djmaze
Copy link
Owner

@Neustradamus i understand your SCRAM mission everywhere.
But -PLUS is just not possible in PHP.

@Neustradamus
Copy link
Author

@the-djmaze: Ok for -PLUS variants, but for SCRAM-SHA3-512?

the-djmaze pushed a commit that referenced this issue Jan 10, 2022
SCRAM-SHA3-512
9bfbd75 
#182 (comment)
@Neustradamus
Copy link
Author

@the-djmaze: I have added the RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051 in the description :)

@the-djmaze
Copy link
Owner

the-djmaze commented Jan 12, 2022
edited

RFC9051 is already partially supported ;)

snappymail/snappymail/v/0.0.0/app/libraries/MailSo/Imap/ImapClient.php

Line 236 in 9fea092

// TODO: RFC 9051

@the-djmaze the-djmaze added the wontfix This will not be worked on label Feb 4, 2022
This was referenced Aug 20, 2022
Open
Open
Open
Closed
Open
Open
Open
@Neustradamus Neustradamus mentioned this issue Sep 1, 2022
Open
@Neustradamus
Copy link
Author

@the-djmaze: Recently SCRAM hashes have been added in:

A good job done by @schengawegga.

Maybe you can help for -PLUS variants?

And for repositories:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Neustradamus @the-djmaze