SCRAM-SHA-1
E845091
SCRAM-SHA-1 is a password-based authentication mechanism that uses salted challenge–response hashing with SHA-1 to securely verify users without transmitting their plaintext passwords.
Statements (47)
| Predicate | Object |
|---|---|
| instanceOf |
SASL mechanism
ⓘ
authentication mechanism ⓘ |
| avoids | plaintext password transmission ⓘ |
| basedOn | Salted Challenge Response Authentication Mechanism (SCRAM) NERFINISHED ⓘ |
| category |
challenge–response authentication
ⓘ
password-authenticated key exchange ⓘ |
| channelBindingVariant | SCRAM-SHA-1-PLUS ⓘ |
| definedIn | RFC 5802 NERFINISHED ⓘ |
| designedFor | Simple Authentication and Security Layer (SASL) NERFINISHED ⓘ |
| designGoal |
avoid sending passwords in cleartext
ⓘ
be suitable as a generic SASL mechanism ⓘ support server-side password database compromise mitigation ⓘ |
| doesNotProvide | protection against weak passwords ⓘ |
| hashFunction | SHA-1 ⓘ |
| hasSuccessor |
SCRAM-SHA-256
NERFINISHED
ⓘ
SCRAM-SHA-256-PLUS NERFINISHED ⓘ |
| messageFlow |
client-final-message
ⓘ
client-first-message ⓘ server-final-message ⓘ server-first-message ⓘ |
| negotiatedVia | SASL mechanism name "SCRAM-SHA-1" ⓘ |
| passwordStorageModel |
salted password verifier
ⓘ
server stores salted hash, not plaintext password ⓘ |
| provides |
protection against passive eavesdropping
ⓘ
protection against replay attacks ⓘ |
| requires |
configurable iteration count
ⓘ
unique salt per user ⓘ |
| role |
allows server to prove possession of stored verifier
ⓘ
verifies client knowledge of password ⓘ |
| standardizedBy | Internet Engineering Task Force (IETF) NERFINISHED ⓘ |
| status | discouraged in new designs due to SHA-1 weaknesses ⓘ |
| supportsChannelBindingVariant | SCRAM-SHA-1-PLUS GENERATED ⓘ |
| supportsFeature |
mutual authentication
ⓘ
proof of knowledge of password ⓘ server authentication ⓘ |
| updatedBy | RFC 7677 NERFINISHED ⓘ |
| usedIn |
IMAP authentication
ⓘ
MongoDB authentication ⓘ PostgreSQL authentication ⓘ SMTP authentication ⓘ XMPP authentication ⓘ |
| uses |
iteration count
ⓘ
nonce ⓘ salt ⓘ stored salted password verifier ⓘ |
| usesAlgorithm | SHA-1 ⓘ |
| usesTechnique | salted challenge–response hashing ⓘ |
Referenced by (2)
Full triples — surface form annotated when it differs from this entity's canonical label.
subject surface form:
MongoDB