SourceWhile TLS protects plaintext passwords handed to servers over HTTPS, the RFC's author Alexey Melnikov (also a co-author of the previous RFC) wants to see it made more robust with a challenge-response mechanism.
There is one, the HTTP Digest challenge-response mechanism, but Melnikov says it “failed widespread deployment and has had only limited success”. That complexity made it hard to protect “the whole authentication exchange”, Melnikov writes, leaving some exchanges vulnerable to some man-in-the-middle attacks.
Enter SCRAM, the Salted Challenge Response Authentication Mechanism. Originally developed in 2010 as RFC-5802, Melnikov's current document describes how it could be added to HTTP exchanges.
One thing on Melnikov's mind is to avoid the kinds of breaches that have been all-too-common this decade: with salting added to the client-server exchange, he says SCRAM can prevent user impersonation resulting from leaked credentials.
Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.
1 post • Page 1 of 1