Re: use of the term "verifier" with SCRAM

On 14/08/2019 08:59, Peter Eisentraut wrote:
> I'm confused by how the code uses the term "verifier" in relation to SCRAM.
>
> ISTM that the code uses the term as meaning whatever is or would be
> stored in pg_auth.rolpassword.
>
> I don't see this usage supported in the RFCs. In RFC 5802,
>
> verifier = "v=" base64
> ;; base-64 encoded ServerSignature.
>
> where
>
> ServerSignature := HMAC(ServerKey, AuthMessage)
> ServerKey := HMAC(SaltedPassword, "Server Key")
> AuthMessage := client-first-message-bare + "," +
> server-first-message + "," +
> client-final-message-without-proof
>
> whereas what is stored in rolpassword is
>
> SCRAM-SHA-256$<iterations>:<salt>$<storedkey>:<serverkey>
>
> where
>
> StoredKey := H(ClientKey)
> ClientKey := HMAC(SaltedPassword, "Client Key")
>
> So while these are all related, I don't think it's accurate to call what
> is in rolpassword a SCRAM "verifier".

Huh, you're right.

> RFC 5803 is titled "Lightweight Directory Access Protocol (LDAP) Schema
> for Storing Salted Challenge Response Authentication Mechanism (SCRAM)
> Secrets". Following that, I think calling the contents of rolpassword a
> "secret" or a "stored secret" would be better.

RFC 5802 uses the term "Authentication information". See section "2.1
Terminology":

o Authentication information: Information used to verify an identity
claimed by a SCRAM client. The authentication information for a
SCRAM identity consists of salt, iteration count, "StoredKey" and
"ServerKey" (as defined in the algorithm overview) for each
supported cryptographic hash function.

But I agree that "secret", as used in RFC5803 is better.

- Heikki