RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010

Source of RFC: sasl (sec)

Errata ID: 5882
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Neil Madden
Date Reported: 2019-10-25
Rejected by: Benjamin Kaduk
Date Rejected: 2019-10-25

Section 2.2 says:

Hi(str, salt, i):

     U1   := HMAC(str, salt + INT(1))
     U2   := HMAC(str, U1)
     ...
     Ui-1 := HMAC(str, Ui-2)
     Ui   := HMAC(str, Ui-1)

     Hi := U1 XOR U2 XOR ... XOR Ui

It should say:

Hi(str, salt, i):

     U1   := HMAC(str, salt + INT(i))
     U2   := HMAC(str, U1)
     ...
     Ui-1 := HMAC(str, Ui-2)
     Ui   := HMAC(str, Ui-1)

     Hi := U1 XOR U2 XOR ... XOR Ui

Notes:

The first round of PBKDF2 is defined incorrectly with a hard-coded value "INT(1)" rather than "INT(i)" (the iteration count). See RFC 2898 section 5.2 step 3. This error means that the computation of PBKDF2 with n iterations is a prefix of the computation required for PBKDF2 with m iterations (with m > n), which is otherwise not the case (and may have security implications?).
--VERIFIER NOTES--
Rejected per submitter request. The 1 here indicates it is the first block of the output stream being computed, and only one such block is needed.

Report New Errata