Re: [HACKERS] SCRAM salt length

On 08/17/2017 01:50 PM, Peter Eisentraut wrote:
> On 8/17/17 12:10, Heikki Linnakangas wrote:
>> On 08/17/2017 05:23 PM, Peter Eisentraut wrote:
>>> On 8/17/17 09:21, Heikki Linnakangas wrote:
>>>> The RFC doesn't say anything about salt
>>>> length, but the one example in it uses a 16 byte string as the salt.
>>>> That's more or less equal to the current default of 12 raw bytes, after
>>>> base64-encoding.
>>>
>>> The example is
>>>
>>>     S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
>>>        s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096
>>>
>>> That salt is 24 characters and 16 raw bytes.
>>
>> Ah, I see, that's from the SCRAM-SHA-256 spec. I was looking at the
>> example in the original SCRAM-SHA-1 spec:
>>
>> S: r=fyko+d2lbbFgONRv9qkxdawL3rfcNHYJY1ZVvWVs7j,s=QSXCR+Q6sek8bf92,
>>        i=4096
>
> Hence my original inquiry: "I suspect that this length was chosen based
> on the example in RFC 5802 (SCRAM-SHA-1) section 5.  But the analogous
> example in RFC 7677 (SCRAM-SHA-256) section 3 uses a length of 16.
> Should we use that instead?"

Unless there is some significant downside to using 16 byte salt, that
would be my vote.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development