@ruff (SCRAM with and without channel binding, e.g. with and without -PLUS)

@Monal yup got it so i need to use /authentication:urn:xmpp:sasl:2 in features instead of /mechanisms:urn:ietf:params:xml:ns:xmpp-sasl for it to accept scram.

@ruff exactly. You can check the wiki at https://monal-im.org for best practices and server configuration advice's, too :)

@Monal Ok, added 0388 implementation, not advertising -PLUS, and getting now this:
_incomplete XEP-0388 support, XEP-0440 MUST be implemented and this mandates that servers MUST at least implement tls-server-end-point__
Ok, fair enough, if server sent PLUS, but it didn't

@ruff you'll have to implement xep-0474 to sign your mechanism list for monal to accept it. Otherwise an attacker could trivially strip the *-PLUS mechanisms and XEP-0440 channel bindings list to downgrade you to no channel binding.

@Monal Ok so only way to use SCRAM is to implement 388 and 474, while PLAIN could be used without all the hassles? like really? :)

@Monal but the whole point was to allow monal to use server with dovecot sasl provider. apparently I cannot force Dovecot to add some extra field to the SASL challenge this effort is futile then ;(

@ruff well, gold security almost always involves some hassle.

That said, maybe we could implement pinning if 0474 isn't supported. That won't protect the very first connection and going from something like SCRAM-SHA-512 to SCRAM-SHA-256 or SCRAM-SHA-1 on the server will leave monal not being able to authenticate (the whole point of pinning is to prevent those downgrades), but it would be better than nothing.
What do you think?

@Monal First problem i see is that monal is sending n,, - it does support PLUS, but server advertised it's not, so it should send y,, instead indicating it didn't see PLUS in adv. That would already allow raising a flag to the server which actually advertised PLUS. That wouldn't allow catching downgrade to SHA-1-PLUS but would prevent downgrade to non-cb SCRAM mech.

@Monal Second problem is 474 is intervening into SCRAM mech by forcing undeclared server message. THere is compliant way to do that - optional extensions. I.e. we can include client hash as optional SASL extension attribute:
y,,n=me,r=E3F76B57-CBDE-46A3-979A-F9B1660B0685,g=1B86B264-2A11-4DEF-92C7-6ED78DAFBC95,h=0a1b2c3d4e5f
and that would include it into client-first-bare and hence part of AuthMessage and thus ClientSignature. SASL backend will just ignore it's meaning but keep in AuthMessage

@Monal server can then extract this attribute and compare it with own signature. heck it can even strip it and replace with own signature - either way being part of ClientSignature and hence ClientProof its tampering will break the auth.

@ruff regarding PLAIN, well, that's the common denominator supported almost everywhere. But it doesn't give any security guarantees at all.

@Monal ok so the idea behind such scrutinity for SCRAM is to avoid user having false perception of being secure by using more secure mech? But if client choses plain - he's on his own and accepts all the risks.

@ruff did you read xep 0474? It contains a whole block of text going into detail why sending "y" isn't as simple as it may seem.

Anyways, we can discuss this further on xmpp, if you want: xmpp:thilo.molitor@juforum.de

@Monal yes, I was part of similar discussion some time ago on xmpp maillist but while i supported the idea it's better to send n when you don't have mechanism to agree on binding type and you suspect that type you support is unlikely to be supported by tge server it's better to send n, but if server is not sending any -PLUS - y for me is a must have. Perhaps I need to undust my xmpp maillist and start it over there.

@ruff the thing Herr is: you have to behave differently if the server supports signing the cb and method lists using 0474 and if it doesn't. An attacker won't be able to fake that signature so its safe to rely on this signal.

If 474 isn't supported, "y" is the right way to do it, if it is supported, "n" is the right way.

Monal doesn't do this distinction yet and that's clearly a bug, I'll fix that.

@ruff well, unfortunately its a lot more complicated: we can't know if the server supports ssdp when sending the clientfirst message. But that's where the y or n must be set.

@ruff there might be a path of sending y without weakening the security guarantees of ssdp etc. if no 440 channel bindings are anounced, but I'll have to think this through more thoroughly...

@ruff it took me several hours to figure out every possible combination of PLUS method (non)advertising, SSDP (non)support and gss header, each with and without mitm attacker. But now I found a way to support your usecase without introducing any new security holes.

Here it is: https://github.com/monal-im/Monal/commit/e19cba5d2917c1cac1a75617fd6bdada15ebcf8f

This will be part of the next beta and stable releases and is already part of the latest alpha release :)

@Monal yup that is exactly what I meant, thanks for improving. I'm still working with my test cases to check ssdp by using sasl optional extensions. first indication is positive though, so once finished with draft implementation will send proposal to the list.

@ruff what proposal exactly do you mean? Ssdp already uses an optional attribute (h is optional, only m would be mandatory).

@Monal this attribute must be sent by server, you cannot force arbitrary sasl backend to send custom attribute. You can send it from the client though as optional extension and any compliant backend should ignore it but include into authmessage (hence signature).

@ruff why should servers not be allowed to send optional attributes? Nothing in the rfc says "optional attributes are only allowed if the client sends them". So: sure, the server is allowed to send optional attributes. And clients are of course allowed to abort authentication if the are not satisfied with the optional attributes they get from the server.

I really don't see the rfc saying otherwise.

@Monal it's not about being "allowed" it's about having possibility. As mentioned early I'm working with dovecot backend. I have no means to inject custom attribute into its server-first. Similar is with other sasl libs i worked with.

@ruff yeah, so you won't be able to implement ssdp, but you would not be able to implement it if the client sent the hash, too.

You need the other side to check the hash. So in principle both directions are possible. But the client needs to know, if the server checks the ssdp hash and that can only be communicated in a scram attribute as well, because it could be manipulated by an attacker otherwise.

@ruff
--> the server always needs to send an optional attribute, either the hash itself, or a flag indicating ssdp support.