On 14/08/2019 08:59, Peter Eisentraut wrote:
I'm confused by how the code uses the term "verifier" in relation to SCRAM.

ISTM that the code uses the term as meaning whatever is or would be
stored in pg_auth.rolpassword.

I don't see this usage supported in the RFCs.  In RFC 5802,

     verifier        = "v=" base64
                     ;; base-64 encoded ServerSignature.


     ServerSignature := HMAC(ServerKey, AuthMessage)
     ServerKey       := HMAC(SaltedPassword, "Server Key")
     AuthMessage     := client-first-message-bare + "," +
                        server-first-message + "," +

whereas what is stored in rolpassword is



     StoredKey       := H(ClientKey)
     ClientKey       := HMAC(SaltedPassword, "Client Key")

So while these are all related, I don't think it's accurate to call what
is in rolpassword a SCRAM "verifier".

Huh, you're right.

RFC 5803 is titled "Lightweight Directory Access Protocol (LDAP) Schema
for Storing Salted Challenge Response Authentication Mechanism (SCRAM)
Secrets".  Following that, I think calling the contents of rolpassword a
"secret" or a "stored secret" would be better.

RFC 5802 uses the term "Authentication information". See section "2.1 Terminology":

   o  Authentication information: Information used to verify an identity
      claimed by a SCRAM client.  The authentication information for a
      SCRAM identity consists of salt, iteration count, "StoredKey" and
      "ServerKey" (as defined in the algorithm overview) for each
      supported cryptographic hash function.

But I agree that "secret", as used in RFC5803 is better.

- Heikki

Reply via email to