Hi Colin,
If I understood correctly, in your design, listScramUsers will return the
mechanism and iteration. Let’s use the field naming of RFC 5802 for this
discussion:
SaltedPassword := Hi(Normalize(password), salt, i)
ClientKey := HMAC(SaltedPassword, "Client Key")
StoredKey := H(ClientKey)
AuthMessage := client-first-message-bare + "," +
server-first-message + "," +
client-final-message-without-proof
ClientSignature := HMAC(StoredKey, AuthMessage)
ClientProof := ClientKey XOR ClientSignature
ServerKey := HMAC(SaltedPassword, "Server Key")
ServerSignature := HMAC(ServerKey, AuthMessage)
I think it’s also safe and useful for listScramUsers to return salt and
ServerKey. The current practice of —describe with —zookeeper is returning these
two fields (KIP-84)
bin/kafka-configs.sh --zookeeper localhost:2181 --describe --entity-type users
--entity-name alice
Configs for user-principal 'alice' are
SCRAM-SHA-512=[salt=djR5dXdtZGNqamVpeml6NGhiZmMwY3hrbg==,stored_key=sb5jkqStV9RwPVTGxG1ZJHxF89bqjsD1jT4SFDK4An2goSnWpbNdY0nkq0fNV8xFcZqb7MVMJ1tyEgif5OXKDQ==,
server_key=3EfuHB4LPOcjDH0O5AysSSPiLskQfM5K9+mOzGmkixasmWEGJWZv7svtgkP+acO2Q9ms9WQQ9EndAJCvKHmjjg==,iterations=4096],SCRAM-SHA-256=[salt=10ibs0z7xzlu6w5ns0n188sis5,stored_key=+Acl/wi1vLZ95Uqj8rRHVcSp6qrdfQIwZbaZBwM0yvo=,server_key=nN+fZauE6vG0hmFAEj/49+2yk0803y67WSXMYkgh77k=,iterations=4096]
Please let me know what you think.
Best, - Cheng Tan
> On Apr 30, 2020, at 11:16 PM, Colin McCabe <cmcc...@apache.org> wrote:
>
>
