[CSHARP-2171] SCRAM-SHA-256 Support Created: 02/Feb/18  Updated: 28/Oct/23  Resolved: 18/Jun/18

Status: Closed
Project: C# Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 2.7.0

Type: New Feature Priority: Major - P3
Reporter: Rathi Gnanasekaran Assignee: Vincent Kam (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-439 SCRAM-SHA-256 Support Closed
Epic Link: CSHARP MongoDB 4.0 Support

 Description   

The next version of MongoDB will include SCRAM-SHA-256 as an authentication type. This is defined in RFC 7677. The sample conversation from the RFC is:

 This is a simple example of a SCRAM-SHA-256 authentication exchange... The username
   'user' and password 'pencil' are being used
 
   C: n,,n=user,r=rOprNGfwEbeRWgbNEkqO
 
   S: r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      s=W22ZaJ0SNY7soEsUEjb6gQ==,i=4096
 
   C: c=biws,r=rOprNGfwEbeRWgbNEkqO%hvYDpWUa2RaTCAfuxFIlj)hNlF$k0,
      p=dHzbZapWIk4jUhN+Ute9ytag9zjfMHgsqmmiz7AndVQ=
 
   S: v=6rriTRBi23WpRR/wtup+mMhUZUn/dB5nLTJRsjl95G4=

In advance of updates to the Auth spec, which will include additional details of mechanism negotiation and user/password normalization (see DRIVERS-444), all drivers should take steps now to ensure their SCRAM libraries are capable of operating in SHA-256 mode, using the sample conversation for verification. (You'll need for force the client nonce to be "rOprNGfwEbeRWgbNEkqO" for the test conversation to work.)



 Comments   
Comment by Githook User [ 18/Jun/18 ]

Author:

{'username': 'vincentkam', 'name': 'vincentkam', 'email': 'vincent.kam@10gen.com'}

Message: CSHARP-2171: SCRAM-SHA-256 Support
Branch: master
https://github.com/mongodb/mongo-csharp-driver/commit/4892dcc5e115a7031d1ba4943cd0ccb55795d2a9

Comment by Jeffrey Yemin [ 04/May/18 ]

I think 3. is the best option. MIT license is permissive enough for use in our project.

Comment by Vincent Kam (Inactive) [ 03/May/18 ]

SCRAM-SHA-256 requires implementing Rfc2898 with SHA-256 (see https://tools.ietf.org/html/rfc7677#section-3, and the definition of Hi() under https://tools.ietf.org/html/rfc5802#section-2.2).

For SCRAM-SHA-1, a library function called Rfc2898DeriveBytes was used. This function was available for .NET Framwork 4.5 and .NET Standard 1.5, the versions of .NET the C# driver targets.

However, for those versions of .NET, Rfc2898DeriveBytes only supports SHA-1. SHA-256 support is available in .NET Framework 4.7.2 (ref) and .Net Core 2.0 (ref). It's worth noting that no version of .NET Standard currently has a version of Rfc2898DeriveBytes that supports SHA-256.

After discussing this briefly with jeff.yemin, rstam, and craiggwilson, we have the following options on the table thus far:

  1. Only enabling support for SCRAM-SHA-256 .NET Framework >=4.7.2 (released 2018-4-30) and .NET Core 2.0 (released 2017-8-14). Downsides include needing to target .Net Core in addition to .Net Standard.
  2. Writing our own implementation of Rfc2898DeriveBytes. I believe the implementation will be non-trivial. As a point of reference, the CoreFX version is 294 lines of code, not including helper classes.
  3. Vendoring in the version from the CoreFX project (https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.Algorithms/src/System/Security/Cryptography/Rfc2898DeriveBytes.cs), which uses an MIT License (https://github.com/dotnet/corefx/blob/master/LICENSE.TXT). Complications include needing to port in internal helper classes and possibly modifying the code (which was first added in .Net Core 2.0) so that it works with .Net Standard 1.5 (limiting us to .NET Core 1.0) and with .NET Framework 4.5

 

On the bright side, using .NET Framework 4.7.2’s Rfc2898DeriveBytes, I was able to get the initial test conversation to pass.

Generated at Wed Feb 07 21:41:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.