Salted Challenge Response HTTP Authentication Mechanism
RFC 7804
Document | Type | RFC - Experimental (March 2016; Errata) | |
---|---|---|---|
Author | Alexey Melnikov | ||
Last updated | 2018-09-11 | ||
Stream | Internet Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Rifaat Shekh-Yusef | ||
Shepherd write-up | Show (last changed 2015-12-02) | ||
IESG | IESG state | RFC 7804 (Experimental) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Kathleen Moriarty | ||
Send notices to | draft-ietf-httpauth-scram-auth-all@tools.ietf.org, alexey.melnikov@isode.com, httpauth-chairs@tools.ietf.org | ||
IANA | IANA review state | IANA OK - Actions Needed | |
IANA action state | RFC-Ed-Ack |
Internet Engineering Task Force (IETF) A. Melnikov Request for Comments: 7804 Isode Ltd Category: Experimental March 2016 ISSN: 2070-1721 Salted Challenge Response HTTP Authentication Mechanism Abstract This specification describes a family of HTTP authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which provides a more robust authentication mechanism than a plaintext password protected by Transport Layer Security (TLS) and avoids the deployment obstacles presented by earlier TLS-protected challenge response authentication mechanisms. Status of This Memo This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation. This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7804. Melnikov Experimental [Page 1] RFC 7804 HTTP SCRAM March 2016 Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 4 3. SCRAM Algorithm Overview . . . . . . . . . . . . . . . . . . 6 4. SCRAM Mechanism Names . . . . . . . . . . . . . . . . . . . . 7 5. SCRAM Authentication Exchange . . . . . . . . . . . . . . . . 7 5.1. One Round-Trip Reauthentication . . . . . . . . . . . . . 10 6. Use of the Authentication-Info Header Field with SCRAM . . . 12 7. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 13 8. Security Considerations . . . . . . . . . . . . . . . . . . . 14 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 10. Design Motivations . . . . . . . . . . . . . . . . . . . . . 15 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 11.1. Normative References . . . . . . . . . . . . . . . . . . 16 11.2. Informative References . . . . . . . . . . . . . . . . . 17 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18 1. Introduction The authentication mechanism most widely deployed and used by Internet application protocols is the transmission of clear-text passwords over a channel protected by Transport Layer Security (TLS). There are some significant security concerns with that mechanism, which could be addressed by the use of a challenge response authentication mechanism protected by TLS. Unfortunately, the HTTP Digest challenge response mechanism presently on the Standards Track failed widespread deployment and has had only limited success. Melnikov Experimental [Page 2] RFC 7804 HTTP SCRAM March 2016 This specification describes a family of authentication mechanisms called the Salted Challenge Response Authentication Mechanism (SCRAM), which addresses the requirements necessary to deploy a challenge response mechanism more widely than past attempts (see [RFC5802]). In particular, it addresses some of the issues identified with HTTP Digest, as described in [RFC6331], such as the complexity of implementation and protection of the whole authentication exchange in order to protect against certain man-in- the-middle attacks. HTTP SCRAM is an adaptation of [RFC5802] for use in HTTP. The SCRAMShow full document text