Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports #302

Open
Neustradamus opened this issue Jan 10, 2022 · 13 comments

Comments

@Neustradamus
Copy link

Neustradamus commented Jan 10, 2022

Dear @gen-smtp team,

In first, I wish you a Happy New Year!

Can you add supports of:

  • SCRAM-SHA-1
  • SCRAM-SHA-1-PLUS
  • SCRAM-SHA-256
  • SCRAM-SHA-256-PLUS
  • SCRAM-SHA-512
  • SCRAM-SHA-512-PLUS
  • SCRAM-SHA3-512
  • SCRAM-SHA3-512-PLUS

You can add too:

  • SCRAM-SHA-224
  • SCRAM-SHA-224-PLUS
  • SCRAM-SHA-384
  • SCRAM-SHA-384-PLUS

Important history:

CRAM-MD5 to Historic:

RFC6331: Moving DIGEST-MD5 to Historic:

RFC8600: https://tools.ietf.org/html/rfc8600 (2019-06-21): https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802].

But in "Best practices for password hashing and storage" expired I-D:

- EXTERNAL
- SCRAM-SHA-256-PLUS
- SCRAM-SHA-1-PLUS
- SCRAM-SHA-256
- SCRAM-SHA-1
- PLAIN

About Channel Binding (for -PLUS variants):

Some important XEPs:

Little details, to know easily:

  • tls-unique for TLS =< 1.2 (RFC5929)
  • tls-server-end-point (RFC5929)
  • tls-exporter for TLS = 1.3 (RFC9266)

After the jabber.ru MITM, Channel Binding is the solution:


SCRAM-SHA-1(-PLUS):

SCRAM-SHA-256(-PLUS):

SCRAM-SHA-512(-PLUS):

SCRAM-SHA3-512(-PLUS):

SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:

IMAP:

LDAP:

  • RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803 // July 2010

HTTP:

JMAP:

2FA:

IANA:

SASL2:

Linked to:

@seriyps
Copy link
Collaborator

seriyps commented Jan 10, 2022

I implemented SCRAM-SHA-256 for Erlang's postgres driver, it was not the easiest thing =)

Is there a specific usecase? Maybe some overview article about SCRAM in SMTP?

@Neustradamus
Copy link
Author

Neustradamus commented Jan 11, 2022

@seriyps: It will be excellent :)

Note, for example, that ProcessOne ejabberd and Erlang Solutions Mongoose IM have the support of SCRAM...

About "Mail", without libs, etc.:
From scram-sasl/info#1.

SCRAM-SHA-1 and SCRAM-SHA-256:

SCRAM-SHA-1, SCRAM-SHA-256, SCRAM-SHA-512:

SCRAM-SHA-1(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-512(-PLUS):

SCRAM-SHA-1(-PLUS), SCRAM-SHA-224(-PLUS), SCRAM-SHA-256(-PLUS), SCRAM-SHA-384(-PLUS), SCRAM-SHA-512(-PLUS):

SCRAM-SHA-1:

@Neustradamus
Copy link
Author

I have added the last RFC in the description: RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2:

I wish you a good reading, I know it is IMAP ^^

@Neustradamus
Copy link
Author

Dear @gen-smtp, @seriyps,

I wish you a Happy New Year 2024!

Have you progressed on it?

Thanks in advance.

@Vagabond
Copy link
Collaborator

maybe the way to handle this is to make authentication pluggable and then we could make an auth module that used https://github.com/esl/fast_scram ?

@Vagabond
Copy link
Collaborator

Actually I guess we could just add it as an optional dep, although SCRAM does seem quite invasive as it appears to take several steps to authenticate. Also we'd need a stringprep implementation.

@seriyps
Copy link
Collaborator

seriyps commented Jan 30, 2024

We have a stringprep algorithm in epgsql. It could be extracted as a separate app I guess

https://github.com/epgsql/epgsql/blob/devel/src/epgsql_sasl_prep_profile.erl

@Neustradamus
Copy link
Author

If you want, there are:

Fast_TLS: TLS / SSL OpenSSL-based native driver for Erlang / Elixir

Stringprep: Fast Stringprep implementation for Erlang / Elixir

@seriyps
Copy link
Collaborator

seriyps commented Jan 30, 2024

https://github.com/processone/stringprep is a NIF. Maybe it's ok. But maybe it's not :)

@Vagabond
Copy link
Collaborator

its probably going to be hard to do this without any NIFs, because there's a KDF involved

@seriyps
Copy link
Collaborator

seriyps commented Jan 30, 2024

@Vagabond I mean, Processone's stringprep (unicode password string normalization) is implemented as NIF, while we in epgsql did it in Erlang. Not sure how complete is it, because it was contributed from outside.

We did scram in Erlang as well, but it is quite ad-hoc
https://github.com/epgsql/epgsql/blob/7ba52768cf0ea7d084df24d4275a88eef4db13c2/src/epgsql_scram.erl#L72-L130

@Vagabond
Copy link
Collaborator

well, the reason pure-erlang is bad for a KDF is that if the client can do the KDF much faster than the server, than the inclination is to weaken the KDF to retain server performance, which gives a malicious client an advantage.

@seriyps
Copy link
Collaborator

seriyps commented Jan 30, 2024

Ah, got it. It was ok for epgsql because epgsql is a client, not server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants