-PLUS variants for SCRAM

[Neustradamus]

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

• SCRAM-SHA-1(-PLUS):
  -- RFC5802: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms: https://tools.ietf.org/html/rfc5802
  -- RFC6120: Extensible Messaging and Presence Protocol (XMPP): Core: https://tools.ietf.org/html/rfc6120

• SCRAM-SHA-256(-PLUS):
  -- RFC7677: SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms: https://tools.ietf.org/html/rfc7677 - since 2015-11-02
  -- RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange: https://tools.ietf.org/html/rfc8600 - since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA

• SCRAM-SHA-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha-512

• SCRAM-SHA3-512(-PLUS):
  -- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

• RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
• RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
• Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

LDAP:

• RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

• RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

• Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://tools.ietf.org/html/draft-melnikov-scram-2fa

IANA:

• Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

• State of Play scram-sasl/info#1

[jstedfast]

MailKit already supports (and has for a few years now) SCRAM-SHA-256 and SCRAM-SHA-1 and correctly prefers SCRAM-SHA-256 over SCRAM-SHA-1.

The SCRAM SASL mechanisms do not appear to be widely supported among mail servers in general and the PLUS variants are even less widely supported as far as I've seen which makes this feature an extremely low priority for me.

I also don't have any servers available to me for testing any implementation of the PLUS variants that I come up with, so that puts a major road block in front of me as well.

That said, I would welcome a Pull Request for this feature if you really need it that badly.

[Neustradamus]

Yes, the request is for -PLUS variants :)

Since some months, Cyrus SASL supports (and Cyrus IMAP):

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS
  -> https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html
  -> https://github.com/cyrusimap/cyrus-sasl/commits/master

More info on "State of Play" cited previously.

[jstedfast]

I don't have access to a Cyrus IMAP server, so that doesn't help me at all.

[jstedfast]

This seems impossible to implement using C# and SslStream.

[Neustradamus]

@jstedfast: What is the problem exactly?

[jstedfast]

@Neustradamus

I don't remember, but presumably the hooks needed for the -PLUS variants aren't available (or I couldn't find them) in SslStream. I'd be happy to review pull requests if you'd like to implement this.

[jstedfast]

MailKit v3.0.0 has been released with support for the -PLUS variants.

[Neustradamus]

@jstedfast: Nice, thanks!

Compatibility with TLS 1.2 and 1.3?

[jstedfast]

yes

[Neustradamus]

@jstedfast: It is official for TLS 1.3 Binding!

• RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

Details:

• tls-unique for TLS =< 1.2
• tls-exporter for TLS = 1.3

Linked to:

• RFC 9266: Channel Bindings for TLS 1.3 support #1411