As it is specified for Simple Authentication and Security Layer (SASL), it can be used for password-based logins to services like LDAP, HTTP, SMTP, POP3, IMAP and JMAP (e-mail), XMPP (chat), or MongoDB and PostgreSQL (databases).
Now Alice could send her password over an unencrypted connection to Bob in a clear text form, for him to verify.
[2][3] When Mallory runs a man-in-the-middle attack and forges a CA signature, she could retrieve a hash of the password.
To make a fully transparent attack, Mallory would need to know the password used by Alice, or the secret encryption key of Bob.
Bob has heard of data breaches of server databases, and he decided that he doesn't want to store the passwords of his users in clear text.
To solve this problem, they use SCRAM, where Bob can store his password in a salted format, using PBKDF2.
[5] As mentioned in the Motivation section, SCRAM uses the PBKDF2 mechanism, which increases the strength against brute-force attacks, when a data leak has happened on the server.
Let H be the selected hash function, given by the name of the algorithm advertised by the server and chosen by the client.
The client derives a key, or salted password, from the password, a salt, and a number of computational iterations as follows: RFC 5802 names four consecutive messages between server and client: The client and the server prove to each other they have the same Auth variable, consisting of: More concretely, this takes the form: The proofs are calculated as follows: where the XOR operation is applied to byte strings of the same length, H(ClientKey) is a normal hash of ClientKey.
Channel binding is optional in SCRAM, and the gs2-cbind-flag variable prevents from downgrade attacks.
When a server supports channel binding, it adds the character sequence '-PLUS' to the advertised SCRAM algorithm name.