Browse Prior Art Database

Salted Challenge Response HTTP Authentication Mechanism (RFC7804) Disclosure Number: IPCOM000245437D
Original Publication Date: 2016-Mar-01
Included in the Prior Art Database: 2016-Mar-10
Document File: 36 page(s) / 40K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

A. Melnikov: AUTHOR


The authentication mechanism most widely deployed and used by Internet application protocols is the transmission of clear-text passwords over a channel protected by Transport Layer Security (TLS). There are some significant security concerns with that mechanism, which could be addressed by the use of a challenge response authentication mechanism protected by TLS. Unfortunately, the HTTP Digest challenge response mechanism presently on the Standards Track failed widespread deployment and has had only limited success.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 7% of the total text.

Internet Engineering Task Force (IETF)                       A. Melnikov Request for Comments: 7804                                     Isode Ltd Category: Experimental                                        March 2016 ISSN: 2070-1721

         Salted Challenge Response HTTP Authentication Mechanism


   This specification describes a family of HTTP authentication    mechanisms called the Salted Challenge Response Authentication    Mechanism (SCRAM), which provides a more robust authentication    mechanism than a plaintext password protected by Transport Layer    Security (TLS) and avoids the deployment obstacles presented by    earlier TLS-protected challenge response authentication mechanisms.

Status of This Memo

   This document is not an Internet Standards Track specification; it is    published for examination, experimental implementation, and    evaluation.

   This document defines an Experimental Protocol for the Internet    community.  This document is a product of the Internet Engineering    Task Force (IETF).  It represents the consensus of the IETF    community.  It has received public review and has been approved for    publication by the Internet Engineering Steering Group (IESG).  Not    all documents approved by the IESG are a candidate for any level of    Internet Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,    and how to provide feedback on it may be obtained at

Melnikov                      Experimental                      [Page 1]
 RFC 7804                       HTTP SCRAM                     March 2016

 Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the    document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal    Provisions Relating to IETF Documents    ( in effect on the date of    publication of this document.  Please review these documents    carefully, as they describe your rights and restrictions with respect    to this document.  Code Components extracted from this document must    include Simplified BSD License text as described in Section 4.e of    the Trust Legal Provisions and are provided without warranty as    described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2

   2.  Conventions Used in This Document . . . . . . . . . . . . . .   3

     2.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4

     2.2.  Notation  . . . . . . . . . . . . . . . . . . . . . . . .   4

   3.  SCRAM Algorithm O...