Security is important to us, here at Couchbase. I'd like to draw your attention to a new security feature in Couchbase 4.5 that might otherwise go unnoticed: SCRAM-SHA (pronounced like 'scram-shaw').
SCRAM (Salted Challenge Response Authentication Mechanism) is a password-based way of authenticating a user. It provides additional security against brute-force attacks, in the case that your servers are ever compromised. Previous versions of Couchbase used a CRAM-MD5 login scheme, which are more vulnerable to such attacks.
I found a great white paper that summarizes SCRAM and its benefits over CRAM-MD5. My summary of that summary on how SCRAM is an improvement:
- SCRAM specifies a format for a secret: hashed data value, salt value, iteration count
- This secret on its own cannot be used to trick the authentication system
- SCRAM exchanges hashed items between client and server, which cannot be “played back”
- SCRAM can be used with any hash algorithm (like SHA1)
So, what do I have to do to use SCRAM-SHA?
Upgrade to Couchbase 4.5. The SDK (when applicable–not all SDKs support this yet) will handle the details. It will use SCRAM-SHA if it can, and it will fall back to CRAM-MD5 if you are running an older version of Couchbase. Using TLS is still recommended to maximize security.
One more thing: SCRAM supports many hash algorithms. Couchbase Server supports SHA1, SHA-256 and SHA-512. The SDK picks the “highest”, so SHA-512 is always used.
That's the quick intro! Any questions? Leave a comment, or ask a question in the Couchbase Forums