SCRAM Key Provider Plugin

A lightweight and easy-to-use password manager

Brought to you by: dreichl

#2856 SCRAM Key Provider Plugin

Milestone: KeePass_2.x

Status: open

Owner: nobody

Labels: Security (5) Password (4)

Priority: 5

Updated: 2023-12-26

Created: 2023-12-26

Creator: Neustradamus

Private: No

Dear @keepass team,

Can you add supports of :

SCRAM-SHA-1
SCRAM-SHA-1-PLUS
SCRAM-SHA-256
SCRAM-SHA-256-PLUS
SCRAM-SHA-512
SCRAM-SHA-512-PLUS
SCRAM-SHA3-512
SCRAM-SHA3-512-PLUS

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

SCRAM-SHA-1(-PLUS):
-- https://tools.ietf.org/html/rfc5802
-- https://tools.ietf.org/html/rfc6120
SCRAM-SHA-256(-PLUS):
-- https://tools.ietf.org/html/rfc7677 since 2015-11-02
-- https://tools.ietf.org/html/rfc8600 since 2019-06-21: https://mailarchive.ietf.org/arch/msg/ietf-announce/suJMmeMhuAOmGn_PJYgX5Vm8lNA
SCRAM-SHA-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha-512
SCRAM-SHA3-512(-PLUS):
-- https://tools.ietf.org/html/draft-melnikov-scram-sha3-512
SCRAM BIS: Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms:
-- https://tools.ietf.org/html/draft-melnikov-scram-bis

https://xmpp.org/extensions/inbox/hash-recommendations.html

-PLUS variants:

RFC5056: On the Use of Channel Bindings to Secure Channels: https://tools.ietf.org/html/rfc5056
RFC5929: Channel Bindings for TLS: https://tools.ietf.org/html/rfc5929
Channel-Binding Types: https://www.iana.org/assignments/channel-binding-types/channel-binding-types.xhtml
RFC 9266: Channel Bindings for TLS 1.3: https://tools.ietf.org/html/rfc9266

IMAP:

RFC9051: Internet Message Access Protocol (IMAP) - Version 4rev2: https://tools.ietf.org/html/rfc9051

LDAP:

RFC5803: Lightweight Directory Access Protocol (LDAP) Schema for Storing Salted: Challenge Response Authentication Mechanism (SCRAM) Secrets: https://tools.ietf.org/html/rfc5803

HTTP:

RFC7804: Salted Challenge Response HTTP Authentication Mechanism: https://tools.ietf.org/html/rfc7804

2FA:

Extensions to Salted Challenge Response (SCRAM) for 2 factor authentication: https://datatracker.ietf.org/doc/html/draft-ietf-kitten-scram-2fa

IANA:

Simple Authentication and Security Layer (SASL) Mechanisms: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

Linked to:

https://github.com/scram-xmpp/info/issues/1

Discussion

Paul - 2023-12-26

Why?
The current encryption methods are not broken and are not likely to be.

cheers, Paul

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dominik Reichl - 2023-12-26

SCRAM is a challenge-response authentication mechanism. This is primarily intended for client/server systems, but it might be possible to encrypt/decrypt database files with a construction similar to OtpKeyProv. I'm currently not planning to develop a plugin for this, but maybe someone else does, thus I'm moving this to the open feature requests.

Thanks and best regards,
Dominik

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dominik Reichl - 2023-12-26

summary: SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports --> SCRAM Key Provider Plugin

Group: KeePass_1.x --> KeePass_2.x
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dominik Reichl - 2023-12-26

Ticket moved from /p/keepass/bugs/2291/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.