RFC Errata
RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010
Note: This RFC has been updated by RFC 7677, RFC 9266
Source of RFC: sasl (sec)
Errata ID: 5882
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Neil Madden
Date Reported: 2019-10-25
Rejected by: Benjamin Kaduk
Date Rejected: 2019-10-25
Section 2.2 says:
Hi(str, salt, i):
U1 := HMAC(str, salt + INT(1))
U2 := HMAC(str, U1)
...
Ui-1 := HMAC(str, Ui-2)
Ui := HMAC(str, Ui-1)
Hi := U1 XOR U2 XOR ... XOR Ui
It should say:
Hi(str, salt, i):
U1 := HMAC(str, salt + INT(i))
U2 := HMAC(str, U1)
...
Ui-1 := HMAC(str, Ui-2)
Ui := HMAC(str, Ui-1)
Hi := U1 XOR U2 XOR ... XOR Ui
Notes:
The first round of PBKDF2 is defined incorrectly with a hard-coded value "INT(1)" rather than "INT(i)" (the iteration count). See RFC 2898 section 5.2 step 3. This error means that the computation of PBKDF2 with n iterations is a prefix of the computation required for PBKDF2 with m iterations (with m > n), which is otherwise not the case (and may have security implications?).
--VERIFIER NOTES--
Rejected per submitter request. The 1 here indicates it is the first block of the output stream being computed, and only one such block is needed.