Security is important to us, here at Couchbase. I'd like to draw your attention to a new security feature in Couchbase 4.5 that might otherwise go unnoticed: SCRAM-SHA (pronounced like 'scram-shaw').

 

Scram! Licensed through Create Commons via Michael Pereckas - https://www.flickr.com/people/53332339@N00

 

(Scram Image Licensed through Create Commons via Michael Pereckas)

SCRAM (Salted Challenge Response Authentication Mechanism) is a password-based way of authenticating a user. It provides additional security against brute-force attacks, in the case that your servers are ever compromised. Previous versions of Couchbase used a CRAM-MD5 login scheme, which are more vulnerable to such attacks.

I found a great white paper that summarizes SCRAM and its benefits over CRAM-MD5. My summary of that summary on how SCRAM is an improvement:

  • SCRAM specifies a format for a secret: hashed data value, salt value, iteration count
  • This secret on its own cannot be used to trick the authentication system
  • SCRAM exchanges hashed items between client and server, which cannot be “played back”
  • SCRAM can be used with any hash algorithm (like SHA1)

 

So, what do I have to do to use SCRAM-SHA?

Upgrade to Couchbase 4.5. The SDK (when applicable–not all SDKs support this yet) will handle the details. It will use SCRAM-SHA if it can, and it will fall back to CRAM-MD5 if you are running an older version of Couchbase. Using TLS is still recommended to maximize security.

One more thing: SCRAM supports many hash algorithms. Couchbase Server supports SHA1, SHA-256 and SHA-512. The SDK picks the “highest”, so SHA-512 is always used.

That's the quick intro! Any questions? Leave a comment, or ask a question in the Couchbase Forums

Posted by Matthew Groves, Developer Advocate

Matthew is a Developer Advocate for Couchbase, and lives in the Central Ohio area. He has experience as a web developer as a consultant, in-house developer, and product developer. He has been a regular speaker at conferences and user groups all over the United States, and he has written AOP in .NET for Manning Books. He has experience in C# and .NET, but also with other web-related tools and technologies like JavaScript and PHP. You can find him on Twitter at @mgroves.

Leave a reply