SCRAM-SHA-256

SCRAM-SHA-256

The Salted Challenge Response Authentication Mechanism (SCRAM) is a secure protocol for proving a user's identity to a server without sending the password over the network. It uses a server-generated "salt" and a "challenge" to create a hashed response that is verified by both the client and server, protecting against attacks like eavesdropping and making dictionary attacks more difficult. SCRAM is based on the RFC 5802 standard from the IETF(Internet Engineering Task Force) and is used in various applications, including MongoDB, XMPP, IMAP, and SMTP.

How SCRAM works

1. Client sends login request: The client initiates a login by sending its username to the server.
2. Server generates salt and challenge: The server generates a unique, random string called a "salt" for the user and a random "challenge" for this session.
3. Server sends salt and challenge to client: The server sends both the salt and the challenge back to the client.
4. Client calculates response: The client uses the received salt, the challenge, and the user's password to perform a cryptographic hashing operation and creates a response.
5. Client sends response to server: The client sends this calculated response back to the server.
6. Server verifies response: The server performs the same hashing operation using its stored salt and the user's password, and then compares its result to the response received from the client.
7. Authentication is successful: If the two results match, the user is authenticated.

Key features

1. Mutual authentication: Both the client and the server can verify each other's identity without sending the password over the network.
2. Salted passwords: The use of a salt for each user prevents attackers from using pre-computed rainbow tables to crack passwords.
3. Challenge-response: The server's random challenge prevents an attacker from simply replaying a recorded login attempt.
4. Resistance to attacks: SCRAM is designed to be resistant to eavesdropping and man-in-the-middle attacks.

How SCRAM works

SCRAM authentication works through an interactive conversation between a client (user) and server. It involves several steps:

1. SCRAM session begins with the client sending a username and a client ‘nonce’ – a unique, random number, to the server. This is the “client-first” message.
2. In response, the server sends back a ‘nonce’ of its own (appended to the client nonce), along with a ‘salt’ (a random data that is used as an additional input to a one-way function that hashes data or password), and an iteration count. This constitutes the “server-first” message.
3. The client then uses these values along with its password to compute a ‘Client Proof’ and sends it back to the server, along with a ‘channel binding’ information. This is the “client-final” message.
4. The server then validates the ‘Client Proof’ using the stored iteration count, salt, and the original password’s hash. If it validates, the server will then generate a ‘Server Signature’ and send it back to the client. This is the “server-final” message.
5. Finally, the client validates the ‘Server Signature’.

If both ‘Client Proof’ and ‘Server Signature’ validations are successful, the client and server have mutually authenticated.

This process is designed to protect password-based authentication from eavesdropping and man-in-the-middle attacks while also providing mutual authentication. SCRAM can function with any hash function and is usually used with Transport Layer Security (TLS) for an extra layer of security. It can also incorporate channel binding to bind the authentication to a lower encryption layer.

Why use SCRAM?
Organizations use SCRAM authentication for numerous reasons:

Higher Security
SCRAM offers a higher level of security by storing hashed passwords, instead of plain ones, on the server. This means that even in case of a data breach, the attacker won’t be able to see the actual passwords.

Protection against Replay Attacks
SCRAM helps guard against replay attacks, in which an attacker intercepts and reuses authentication messages. It does not allow previously intercepted authentication messages to be reused illegitimately.

Resistance to Brute force Attacks
SCRAM uses an iteration value which can be set to a high number making the brute force attack computationally very expensive and impractical.

Prevention of Man-in-the-middle Attacks
SCRAM’s feature “channel binding” can provide additional protection against man-in-the-middle attacks, which occur when an attacker secretly intercepts and potentially alters the communication between two parties who believe they are directly communicating with each other.

Offloading Computation Cost
SCRAM shifts the computation cost of password hashing from the server to the client. This can prevent servers from being overwhelmed in a potential distributed denial of service (DDoS) attack.

Separation of Concerns
By using SCRAM, an organization can delegate the handling of cleartext credentials to a dedicated secrets-management service, minimizing exposure and possibly avoiding breaches. It’s easier to ensure security when responsibilities are clearly divided.