[SERVER-32967] Enforce client side minimum SCRAM iteration count of 4096 iterations Created: 29/Jan/18  Updated: 29/Oct/23  Resolved: 13/Feb/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.7.2

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Participants:

 Description   

Clients authenticating with SCRAM should ensure that they generate SaltedPasswords with a minimum of 4096 iterations.



 Comments   
Comment by Sara Golemon [ 13/Feb/18 ]

This got baked into SERVER-32836 https://github.com/mongodb/mongo/blob/da12466c2f109ada2d487db9c6fd92200f5b6b1d/src/mongo/crypto/mechanism_scram.h#L67

sasl_scram_client_conversation uses scram::Presecrets to generate its responses and if the provided "i=" value is less than 4096, then the constructor will throw leading to a failed authentication before anything sensitive is sent over the wire.

Generated at Thu Feb 08 04:31:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.