ejabberd development
  1. ejabberd development
  2. EJAB-1196

New SASL authentication method: SCRAM-SHA-1

    Details

      Description

      As suggested by Sebastiaan Deckers, from Pandion.

      Advantage of this authentication method:

      • The MD5 algorithm is weak and SHA-1 is better (still not great but better )
      • Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
      • Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

      Patch is tested and works with:

      • Gajim hg: PLAIN and his simple SCRAM-SHA-1 (ServerSignature is verified since 0.15)
      • Pandion 2.6.106: PLAIN and SCRAM-SHA-1 (doesn't verify ServerSignature)
      • Swift 1.0: PLAIN and SCRAM-SHA-1
      • Tkabber SVN: PLAIN

      Other clients are supposed to support SCRAM, but I couldn't test them: Empathy, Pidgin (since 2.6.6), Psi (not integrated into git yet, announcement), SoapBox (proprietary).

      Related links:

        Issue Links

          Activity

          Mickaël Rémond
          made changes -
          Field Original Value New Value
          Description Advantage of this authentication method:
          - The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          - Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          - Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          - The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          - Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          - Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.
          Badlop
          made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          - The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          - Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          - Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.
          Badlop
          made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          Badlop
          made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion and Gajim.

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion, Gajim, and Psi ([announcement|http://ayena.de/sleep_tight_password_safe]).

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          Stephen Röttger
          made changes -
          Attachment ejabberd-2.1.0-scram.patch [ 18643 ]
          Badlop
          made changes -
          Assignee Badlop [ badlop ]
          Badlop
          made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Badlop
          made changes -
          Attachment ejabberd-2.1.0-scram-part2.patch [ 18650 ]
          Badlop
          made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Badlop
          made changes -
          Attachment ejabberd-2.1.0-scram-part2.patch [ 18661 ]
          Badlop
          made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s ejabberd 2.1.9 [ 10796 ]
          Fix Version/s ejabberd 3.0.0-beta-1 [ 10660 ]
          Resolution Fixed [ 1 ]
          Badlop
          made changes -
          Description As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          SCRAM is supported by development versions of Prosody, Pidgin, Pandion, Gajim, and Psi ([announcement|http://ayena.de/sleep_tight_password_safe]).

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          As suggested by Sebastiaan Deckers, from Pandion.

          Advantage of this authentication method:
          * The MD5 algorithm is weak and SHA-1 is better (still not great but better :) )
          * Scram allows storing hashed passwords on the server, while Digest requires storing plaintext. This is often a security requirement.
          * Scram has i18n using stringprep. Digest authentication doesn't have that so there are all kinds of problems with Unicode chars.

          Patch is tested and works with:
          * Gajim hg: PLAIN and his simple SCRAM-SHA-1 ([ServerSignature is verified since 0.15|http://trac.gajim.org/ticket/6940])
          * Pandion 2.6.106: PLAIN and SCRAM-SHA-1 (doesn't verify ServerSignature)
          * Swift 1.0: PLAIN and SCRAM-SHA-1
          * Tkabber SVN: PLAIN

          Other clients are supposed to support SCRAM, but I couldn't test them: Empathy, Pidgin (since 2.6.6), Psi (not integrated into git yet, [announcement|http://ayena.de/sleep_tight_password_safe]), SoapBox (proprietary).

          Related links:
          * The protocol: [Salted Challenge Response (SCRAM) SASL and GSS-API Mechanism|http://tools.ietf.org/html/draft-ietf-sasl-scram-11]
          * Ovierview of the protocol: [Scram DIGEST-MD5!|http://ayena.de/scram-digest-md5]
          Christophe Romain
          made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Mickaël Rémond
          made changes -
          Workflow development v3 [ 71348 ] Development v4 [ 81362 ]
          Badlop
          made changes -
          Link This issue is splitted to EJAB-1598 [ EJAB-1598 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 35 weeks, 2 days ago

                Issue deployment