Salted Challenge Response (SCRAM) HTTP Authentication Mechanism
draft-ietf-httpauth-scram-auth-14

The information below is for an old version of the document
Document Type Active Internet-Draft (httpauth WG)
Author Alexey Melnikov 
Last updated 2015-12-16 (latest revision 2015-12-05)
Stream IETF
Intended RFC status Experimental
Formats pdf htmlized (tools) htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Rifaat Shekh-Yusef
Shepherd write-up Show (last changed 2015-12-02)
IESG IESG state Waiting for AD Go-Ahead
Consensus Boilerplate Yes
Telechat date
Has enough positions to pass.
Responsible AD Kathleen Moriarty
Send notices to draft-ietf-httpauth-scram-auth-all@tools.ietf.org, alexey.melnikov@isode.com, httpauth-chairs@tools.ietf.org
IANA IANA review state IANA OK - Actions Needed
HTTPAUTH                                                     A. Melnikov
Internet-Draft                                                 Isode Ltd
Intended status: Experimental                           December 5, 2015
Expires: June 7, 2016

    Salted Challenge Response (SCRAM) HTTP Authentication Mechanism
                 draft-ietf-httpauth-scram-auth-14.txt

Abstract

   This specification describes a family of HTTP authentication
   mechanisms called the Salted Challenge Response Authentication
   Mechanism (SCRAM), which provides a more robust authentication
   mechanism than a plaintext password protected by Transport Layer
   Security (TLS) and avoids the deployment obstacles presented by
   earlier TLS-protected challenge response authentication mechanisms.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 7, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as

Melnikov                  Expires June 7, 2016                  [Page 1]
Internet-Draft                 HTTP SCRAM                  December 2015

   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3
   2.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.2.  Notation  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  SCRAM Algorithm Overview  . . . . . . . . . . . . . . . . . .   5
   4.  SCRAM Mechanism Names . . . . . . . . . . . . . . . . . . . .   6
   5.  SCRAM Authentication Exchange . . . . . . . . . . . . . . . .   7
   5.1.  One round trip reauthentication . . . . . . . . . . . . . .  10
   6.  Use of Authentication-Info header field with SCRAM  . . . . .  12
   7.  Formal Syntax . . . . . . . . . . . . . . . . . . . . . . . .  12
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  15
   11. Design Motivations  . . . . . . . . . . . . . . . . . . . . .  15
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  16
   12.1.  Normative References . . . . . . . . . . . . . . . . . . .  16
   12.2.  Informative References . . . . . . . . . . . . . . . . . .  17
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  18

1.  Introduction

   The authentication mechanism most widely deployed and used by
   Internet application protocols is the transmission of clear-text
   passwords over a channel protected by Transport Layer Security (TLS).
   There are some significant security concerns with that mechanism,
   which could be addressed by the use of a challenge response
   authentication mechanism protected by TLS.  Unfortunately, the HTTP
   Digest challenge response mechanism presently on the standards track
   failed widespread deployment, and have had success only in limited
   use.

   This specification describes a family of authentication mechanisms
   called the Salted Challenge Response Authentication Mechanism (SCRAM)
   which addresses the requirements necessary to deploy a challenge-
   response mechanism more widely than past attempts (see [RFC5802]).
   In particular, it addresses some of the issues identified with HTTP
   Digest [RFC6331], such as complexity of implementing and protection
   of the whole authentication exchange in order to protect from certain
   man-in-the-middle attacks.

   HTTP SCRAM is adoptation of [RFC5802] for use in HTTP.  (SCRAM data
   exchanged is identical to what is defined in [RFC5802].)  It also
   adds 1 round trip reauthentication mode.

Melnikov                  Expires June 7, 2016                  [Page 2]
Show full document text