Security is important to us, here at Couchbase. I'd like to draw your attention to a new security feature in Couchbase 4.5 that might otherwise go unnoticed: SCRAM-SHA (pronounced like 'scram-shaw').

 

Scram! Licensed through Create Commons via Michael Pereckas - https://www.flickr.com/people/53332339@N00

 

(Scram Image Licensed through Create Commons via Michael Pereckas)

SCRAM (Salted Challenge Response Authentication Mechanism) is a password-based way of authenticating a user. It provides additional security against brute-force attacks, in the case that your servers are ever compromised. Previous versions of Couchbase used a CRAM-MD5 login scheme, which are more vulnerable to such attacks.

I found a great white paper that summarizes SCRAM and its benefits over CRAM-MD5. My summary of that summary on how SCRAM is an improvement:

  • SCRAM specifies a format for a secret: hashed data value, salt value, iteration count
  • This secret on its own cannot be used to trick the authentication system
  • SCRAM exchanges hashed items between client and server, which cannot be “played back”
  • SCRAM can be used with any hash algorithm (like SHA1)

 

So, what do I have to do to use SCRAM-SHA?

Upgrade to Couchbase 4.5. The SDK (when applicable–not all SDKs support this yet) will handle the details. It will use SCRAM-SHA if it can, and it will fall back to CRAM-MD5 if you are running an older version of Couchbase. Using TLS is still recommended to maximize security.

One more thing: SCRAM supports many hash algorithms. Couchbase Server supports SHA1, SHA-256 and SHA-512. The SDK picks the “highest”, so SHA-512 is always used.

That's the quick intro! Any questions? Leave a comment, or ask a question in the Couchbase Forums

Author

Author

Posted by Matthew Groves

Matthew D. Groves is a guy who loves to code. It doesn't matter if it's C#, jQuery, or PHP: he'll submit pull requests for anything. He has been coding professionally ever since he wrote a QuickBASIC point-of-sale app for his parent's pizza shop back in the 90s. He currently works as a Product Marketing Manager for Couchbase. His free time is spent with his family, watching the Reds, and getting involved in the developer community. He is the author of AOP in .NET (published by Manning), a Pluralsight author, and a Microsoft MVP.

Leave a reply