7Internet Engineering Task Force (IETF) T. Hansen
8Request for Comments: 7677 AT&T Laboratories
9Updates: 5802 November 2015
10Category: Standards Track
14 SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
15 Simple Authentication and Security Layer (SASL) Mechanisms
19 This document registers the Simple Authentication and Security Layer
20 (SASL) mechanisms SCRAM-SHA-256 and SCRAM-SHA-256-PLUS, provides
21 guidance for secure implementation of the original SCRAM-SHA-1-PLUS
22 mechanism, and updates the SCRAM registration procedures of RFC 5802.
26 This is an Internet Standards Track document.
28 This document is a product of the Internet Engineering Task Force
29 (IETF). It represents the consensus of the IETF community. It has
30 received public review and has been approved for publication by the
31 Internet Engineering Steering Group (IESG). Further information on
32 Internet Standards is available in Section 2 of RFC 5741.
34 Information about the current status of this document, any errata,
35 and how to provide feedback on it may be obtained at
36 http://www.rfc-editor.org/info/rfc7677.
40 Copyright (c) 2015 IETF Trust and the persons identified as the
41 document authors. All rights reserved.
43 This document is subject to BCP 78 and the IETF Trust's Legal
44 Provisions Relating to IETF Documents
45 (http://trustee.ietf.org/license-info) in effect on the date of
46 publication of this document. Please review these documents
47 carefully, as they describe your rights and restrictions with respect
48 to this document. Code Components extracted from this document must
49 include Simplified BSD License text as described in Section 4.e of
50 the Trust Legal Provisions and are provided without warranty as
51 described in the Simplified BSD License.
58Hansen Standards Track [Page 1]
60RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
66 2. Key Word Definitions . . . . . . . . . . . . . . . . . . . . 2
67 3. SCRAM-SHA-256 and SCRAM-SHA-256-PLUS . . . . . . . . . . . . 2
68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3
69 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
70 5.1. Updates to SCRAM-* Registration . . . . . . . . . . . . . 4
71 5.2. SASL-SCRAM Family Mechanisms Registration Procedure . . . 4
72 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
73 6.1. Normative References . . . . . . . . . . . . . . . . . . 6
74 6.2. Informative References . . . . . . . . . . . . . . . . . 7
75 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 7
76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
80 This document registers the SASL mechanisms SCRAM-SHA-256 and SCRAM-
81 SHA-256-PLUS. SHA-256 has stronger security properties than SHA-1,
82 and it is expected that SCRAM mechanisms based on it will have
83 greater predicted longevity than the SCRAM mechanisms based on SHA-1.
85 The registration form for the SCRAM family of algorithms is also
86 updated from [RFC5802].
88 After publication of [RFC5802], it was discovered that Transport
89 Layer Security (TLS) [RFC5246] does not have the expected properties
90 for the "tls-unique" channel binding to be secure [RFC7627].
91 Therefore, this document contains normative text that applies to both
92 the original SCRAM-SHA-1-PLUS and the newly introduced SCRAM-SHA-
952. Key Word Definitions
97 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
98 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
99 document are to be interpreted as described in [RFC2119].
1013. SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
103 The SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL mechanisms are defined
104 in the same way that SCRAM-SHA-1 and SCRAM-SHA-1-PLUS are defined in
105 [RFC5802], except that the hash function for HMAC() and H() uses
106 SHA-256 instead of SHA-1 [RFC6234].
108 For the SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL mechanisms, the
109 hash iteration-count announced by a server SHOULD be at least 4096.
114Hansen Standards Track [Page 2]
116RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
119 The GSS-API mechanism OID for SCRAM-SHA-256 is 1.3.6.1.5.5.18 (see
123 when the client doesn't support channel bindings. The username
124 'user' and password 'pencil' are being used.
126 C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO
128 S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
129 s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096
131 C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
132 p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=
134 S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=
1364. Security Considerations
138 The security considerations from [RFC5802] still apply.
140 To be secure, either SCRAM-SHA-256-PLUS and SCRAM-SHA-1-PLUS MUST be
141 used over a TLS channel that has had the session hash extension
142 [RFC7627] negotiated, or session resumption MUST NOT have been used.
144 See [RFC4270] and [RFC6194] for reasons to move from SHA-1 to a
145 strong security mechanism like SHA-256.
147 The strength of this mechanism is dependent in part on the hash
148 iteration-count, as denoted by "i" in [RFC5802]. As a rule of thumb,
149 the hash iteration-count should be such that a modern machine will
150 take 0.1 seconds to perform the complete algorithm; however, this is
151 unlikely to be practical on mobile devices and other relatively low-
152 performance systems. At the time this was written, the rule of thumb
153 gives around 15,000 iterations required; however, a hash iteration-
154 count of 4096 takes around 0.5 seconds on current mobile handsets.
155 This computational cost can be avoided by caching the ClientKey
156 (assuming the Salt and hash iteration-count is stable). Therefore,
157 the recommendation of this specification is that the hash iteration-
158 count SHOULD be at least 4096, but careful consideration ought to be
159 given to using a significantly higher value, particularly where
160 mobile use is less important.
170Hansen Standards Track [Page 3]
172RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
1755. IANA Considerations
1775.1. Updates to SCRAM-* Registration
179 The IANA registry for SCRAM-* (the SCRAM family of SASL mechanisms)
180 in the SASL mechanism registry ([RFC4422]) has been updated as
181 follows. The email address for reviews has been updated, and the
182 note at the end changed.
185 Subject: Registration of a new SASL family SCRAM
187 SASL mechanism name (or prefix for the family): SCRAM-*
188 Security considerations: Section 7 of [RFC5802]
189 Published specification (optional, recommended): RFC 7677
190 Person & email address to contact for further information:
191 IETF KITTEN WG <kitten@ietf.org>
192 Intended usage: COMMON
193 Owner/Change controller: IESG <iesg@ietf.org>
194 Note: Members of this family MUST be explicitly registered using
195 the "IETF Review" [RFC5226] registration procedure. Reviews
196 MUST be requested on the KITTEN mailing list kitten@ietf.org
197 (or a successor designated by the responsible Security AD).
199 Note to future SCRAM-mechanism designers: each new SASL SCRAM
200 mechanism MUST be explicitly registered with IANA within the SASL
201 SCRAM Family Mechanisms registry.
2035.2. SASL-SCRAM Family Mechanisms Registration Procedure
205 A new IANA registry has been added for members of the SCRAM family of
206 SASL mechanisms, named "SASL SCRAM Family Mechanisms". It adds two
207 new fields to the existing SCRAM mechanism registry: Minimum
208 iteration-count and Associated OID. Below is the template for
209 registration of a new SASL family SCRAM. (Note that the string
210 "TBD-BY-IANA" should be left as is, so that it may be filled in at
211 registration time by IANA.)
226Hansen Standards Track [Page 4]
228RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
232 Subject: Registration of a new SASL SCRAM family mechanism
234 SASL mechanism name (or prefix for the family): SCRAM-<NAME>
235 Security considerations: Section 7 of [RFC5802]
236 Published specification (optional, recommended): RFC 7677
237 Minimum iteration-count: The minimum hash iteration-count that
238 servers SHOULD announce
239 Associated OID: TBD-BY-IANA
240 Person & email address to contact for further information:
241 IETF KITTEN WG <kitten@ietf.org>
242 Intended usage: COMMON
243 Owner/Change controller: IESG <iesg@ietf.org>
245 Note: Members of this family MUST be explicitly registered using
246 the "IETF Review" [RFC5226] registration procedure. Reviews MUST
247 be requested on the KITTEN mailing list kitten@ietf.org (or a
248 successor designated by the responsible Security Area Director).
250 Note: At publication of a new SASL SCRAM Family Mechanism, IANA
251 SHOULD assign a GSS-API mechanism OID for this mechanism from the
252 iso.org.dod.internet.security.mechanisms prefix (see the "SMI
253 Security for Mechanism Codes" registry) and fill in the value for
254 "TBD-BY-IANA" above. Only one OID needs to be assigned for a
255 SCRAM-<NAME> and SCRAM-<NAME>-PLUS pair. The same OID should be
256 assigned to both entries in the registry.
258 Note to future SASL SCRAM mechanism designers: each new SASL SCRAM
259 mechanism MUST be explicitly registered with IANA and MUST comply
260 with the SCRAM-mechanism naming convention defined in Section 4 of
263 The existing entries for SASL SCRAM-SHA-1 and SCRAM-SHA-1-PLUS have
264 been moved from the existing SASL mechanism registry to the "SASL
265 SCRAM Family Mechanisms" registry. At that time, the following
268 Minimum iteration-count: 4096
269 OID: 1.3.6.1.5.5.14 (from [RFC5802])
282Hansen Standards Track [Page 5]
284RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
287 The following new SASL SCRAM mechanisms have been added to the "SASL
288 SCRAM Family Mechanisms" registry:
291 Subject: Registration of a new SASL SCRAM Family mechanism
294 SASL mechanism name (or prefix for the family): SCRAM-SHA-256
295 Security considerations: Section 4 of RFC 7677
296 Published specification (optional, recommended): RFC 7677
297 Minimum iteration-count: 4096
299 Person & email address to contact for further information:
300 IETF KITTEN WG <kitten@ietf.org>
301 Intended usage: COMMON
302 Owner/Change controller: IESG <iesg@ietf.org>
306 Subject: Registration of a new SASL SCRAM Family mechanism
309 SASL mechanism name (or prefix for the family): SCRAM-SHA-256-PLUS
310 Security considerations: Section 4 of RFC 7677
311 Published specification (optional, recommended): RFC 7677
312 Minimum iteration-count: 4096
314 Person & email address to contact for further information:
315 IETF KITTEN WG <kitten@ietf.org>
316 Intended usage: COMMON
317 Owner/Change controller: IESG <iesg@ietf.org>
3226.1. Normative References
324 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
325 Requirement Levels", BCP 14, RFC 2119,
326 DOI 10.17487/RFC2119, March 1997,
327 <http://www.rfc-editor.org/info/rfc2119>.
329 [RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
330 Authentication and Security Layer (SASL)", RFC 4422,
331 DOI 10.17487/RFC4422, June 2006,
332 <http://www.rfc-editor.org/info/rfc4422>.
338Hansen Standards Track [Page 6]
340RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
343 [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams,
344 "Salted Challenge Response Authentication Mechanism
345 (SCRAM) SASL and GSS-API Mechanisms", RFC 5802,
346 DOI 10.17487/RFC5802, July 2010,
347 <http://www.rfc-editor.org/info/rfc5802>.
349 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
350 (SHA and SHA-based HMAC and HKDF)", RFC 6234,
351 DOI 10.17487/RFC6234, May 2011,
352 <http://www.rfc-editor.org/info/rfc6234>.
354 [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
355 Langley, A., and M. Ray, "Transport Layer Security (TLS)
356 Session Hash and Extended Master Secret Extension",
357 RFC 7627, DOI 10.17487/RFC7627, September 2015,
358 <http://www.rfc-editor.org/info/rfc7627>.
3606.2. Informative References
362 [RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic
363 Hashes in Internet Protocols", RFC 4270,
364 DOI 10.17487/RFC4270, November 2005,
365 <http://www.rfc-editor.org/info/rfc4270>.
367 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
368 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
369 DOI 10.17487/RFC5226, May 2008,
370 <http://www.rfc-editor.org/info/rfc5226>.
372 [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
373 Considerations for the SHA-0 and SHA-1 Message-Digest
374 Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011,
375 <http://www.rfc-editor.org/info/rfc6194>.
377 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
378 (TLS) Protocol Version 1.2", RFC 5246,
379 DOI 10.17487/RFC5246, August 2008,
380 <http://www.rfc-editor.org/info/rfc5246>.
384 This document benefited from discussions on the KITTEN WG mailing
385 list. The author would like to specially thank Russ Allbery, Dave
386 Cridland, Shawn Emery, Stephen Farrell, Simon Josefsson, Pearl Liang,
387 Alexey Melnikov, Peter Saint-Andre, Robert Sparks, Martin Thompson,
388 and Nico Williams for their comments on this topic.
394Hansen Standards Track [Page 7]
396RFC 7677 SASL SCRAM-SHA-256/SCRAM-SHA-256-PLUS November 2015
403 200 Laurel Ave. South
407 Email: tony+scramsha256@maillennium.att.com
450Hansen Standards Track [Page 8]