RFC 5802, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", July 2010Source of RFC: sasl (sec)
Errata ID: 5882
Publication Format(s) : TEXT
Reported By: Neil Madden
Date Reported: 2019-10-25
Rejected by: Benjamin Kaduk
Date Rejected: 2019-10-25
Section 2.2 says:
Hi(str, salt, i): U1 := HMAC(str, salt + INT(1)) U2 := HMAC(str, U1) ... Ui-1 := HMAC(str, Ui-2) Ui := HMAC(str, Ui-1) Hi := U1 XOR U2 XOR ... XOR Ui
It should say:
Hi(str, salt, i): U1 := HMAC(str, salt + INT(i)) U2 := HMAC(str, U1) ... Ui-1 := HMAC(str, Ui-2) Ui := HMAC(str, Ui-1) Hi := U1 XOR U2 XOR ... XOR Ui
The first round of PBKDF2 is defined incorrectly with a hard-coded value "INT(1)" rather than "INT(i)" (the iteration count). See RFC 2898 section 5.2 step 3. This error means that the computation of PBKDF2 with n iterations is a prefix of the computation required for PBKDF2 with m iterations (with m > n), which is otherwise not the case (and may have security implications?).
Rejected per submitter request. The 1 here indicates it is the first block of the output stream being computed, and only one such block is needed.