Menu

#136 SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports

Unknown
open-remind
Oliver Heil
scram-sha-1 (1) scram-sha-256 (1) scram-sha-512 (1) scram-sha3-512 (1) scram (1) scram-sasl (1) scram-sha-1-plus (1) scram-sha-256-plus (1) scram-sha-512-plus (1) scram-sha3-512-plus (1) security (1)
5
2023-08-07
2022-08-21
Neustradamus
No

Dear NOCC team,

For more security, can you add supports of:
- SCRAM-SHA-1
- SCRAM-SHA-256
- SCRAM-SHA-512
- SCRAM-SHA3-512

Same with TLS Channel Binding:
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-512-PLUS
- SCRAM-SHA3-512-PLUS

Details:

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

-PLUS variants:
- RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
- RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
- Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
- RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:
- RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:
- RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:
- RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:
- Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:
- Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:
- https://github.com/scram-xmpp/info/issues/1

Discussion

  • Oliver Heil

    Oliver Heil - 2022-08-22
    • assigned_to: Oliver Heil
     

  • Oliver Heil

    Oliver Heil - 2022-08-22
    • status: open --> open-remind
     

  • Oliver Heil

    Oliver Heil - 2022-08-22

    Remark:
    https://pear.php.net/package/Auth_SASL2
    0.2.0 (beta) was released on 2017-03-07

     

  • Neustradamus

    Neustradamus - 2023-08-06

    @oheil: Have you progressed on it?

    Note there is:
    - https://pear.php.net/package/Auth_SASL

     

    • Oliver Heil

      Oliver Heil - 2023-08-07

      Thanks for the reminder.

      Note there is:
      - https://pear.php.net/package/Auth_SASL

      This package is not maintained anymore and has been superseded. Use Auth_SASL2 instead.

      This being said:
      No, I didn't worked on it yet.
      But there may be some spare time in the near future for this.
      To be explicit about what we are talking about:
      The wish is, that the server side NOCC code authenticates to the SMTP and the IMAP/POP3 servers via SCRAM, right?

       

Log in to post a comment.