Salted Challenge Response (SCRAM) HTTP Authentication Mechanism
draft-ietf-httpauth-scram-auth-14
| The information below is for an old version of the document | |||
|---|---|---|---|
| Document | Type | Active Internet-Draft (httpauth WG) | |
| Author | Alexey Melnikov | ||
| Last updated | 2015-12-16 (latest revision 2015-12-05) | ||
| Stream | IETF | ||
| Intended RFC status | Experimental | ||
| Formats | pdf htmlized (tools) htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Rifaat Shekh-Yusef | ||
| Shepherd write-up | Show (last changed 2015-12-02) | ||
| IESG | IESG state | Waiting for AD Go-Ahead | |
| Consensus Boilerplate | Yes | ||
| Telechat date |
Has enough positions to pass. |
||
| Responsible AD | Kathleen Moriarty | ||
| Send notices to | draft-ietf-httpauth-scram-auth-all@tools.ietf.org, alexey.melnikov@isode.com, httpauth-chairs@tools.ietf.org | ||
| IANA | IANA review state | IANA OK - Actions Needed | |
HTTPAUTH A. Melnikov
Internet-Draft Isode Ltd
Intended status: Experimental December 5, 2015
Expires: June 7, 2016
Salted Challenge Response (SCRAM) HTTP Authentication Mechanism
draft-ietf-httpauth-scram-auth-14.txt
Abstract
This specification describes a family of HTTP authentication
mechanisms called the Salted Challenge Response Authentication
Mechanism (SCRAM), which provides a more robust authentication
mechanism than a plaintext password protected by Transport Layer
Security (TLS) and avoids the deployment obstacles presented by
earlier TLS-protected challenge response authentication mechanisms.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 7, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Melnikov Expires June 7, 2016 [Page 1]
Internet-Draft HTTP SCRAM December 2015
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. SCRAM Algorithm Overview . . . . . . . . . . . . . . . . . . 5
4. SCRAM Mechanism Names . . . . . . . . . . . . . . . . . . . . 6
5. SCRAM Authentication Exchange . . . . . . . . . . . . . . . . 7
5.1. One round trip reauthentication . . . . . . . . . . . . . . 10
6. Use of Authentication-Info header field with SCRAM . . . . . 12
7. Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . . 12
8. Security Considerations . . . . . . . . . . . . . . . . . . . 13
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
11. Design Motivations . . . . . . . . . . . . . . . . . . . . . 15
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
12.1. Normative References . . . . . . . . . . . . . . . . . . . 16
12.2. Informative References . . . . . . . . . . . . . . . . . . 17
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction
The authentication mechanism most widely deployed and used by
Internet application protocols is the transmission of clear-text
passwords over a channel protected by Transport Layer Security (TLS).
There are some significant security concerns with that mechanism,
which could be addressed by the use of a challenge response
authentication mechanism protected by TLS. Unfortunately, the HTTP
Digest challenge response mechanism presently on the standards track
failed widespread deployment, and have had success only in limited
use.
This specification describes a family of authentication mechanisms
called the Salted Challenge Response Authentication Mechanism (SCRAM)
which addresses the requirements necessary to deploy a challenge-
response mechanism more widely than past attempts (see [RFC5802]).
In particular, it addresses some of the issues identified with HTTP
Digest [RFC6331], such as complexity of implementing and protection
of the whole authentication exchange in order to protect from certain
man-in-the-middle attacks.
HTTP SCRAM is adoptation of [RFC5802] for use in HTTP. (SCRAM data
exchanged is identical to what is defined in [RFC5802].) It also
adds 1 round trip reauthentication mode.
Melnikov Expires June 7, 2016 [Page 2]
Show full document text