Re: SCRAM salt length

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Robert Haas <robertmhaas@gmail.com>, Michael Paquier <michael.paquier@gmail.com>
Cc: Aleksander Alekseev <a.alekseev@postgrespro.ru>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2017-08-17T13:21:43Z
Lists: pgsql-hackers
On 08/17/2017 04:04 PM, Robert Haas wrote:
> On Wed, Aug 16, 2017 at 10:42 PM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> In the initial discussions there was as well a mention about using 16 bytes.
>> https://www.postgresql.org/message-id/507550BD.2030401@vmware.com
>> As we are using SCRAM-SHA-256, let's bump it up and be consistent.
>> That's now or never.
> 
> This was discussed and changed once before at
> https://www.postgresql.org/message-id/df8c6e27-4d8e-5281-96e5-131a4e638fc8@8kdata.com

Different thing. That was the nonce length, now we're talking about salt 
length.

I think 2^96 is large enough. The RFC doesn't say anything about salt 
length, but the one example in it uses a 16 byte string as the salt. 
That's more or less equal to the current default of 12 raw bytes, after 
base64-encoding.

On 08/17/2017 05:42 AM, Michael Paquier wrote:
 > That's now or never.

Not really. That constant is just the default to use when creating new 
password verifiers, but the code can handle any salt length, and 
different verifiers can have different lengths.

- Heikki


Commits

  1. Increase SCRAM salt length

  2. Make SCRAM salts and nonces longer.