> On 26 Jun 2024, at 18:59, Robert Haas <robertmhaas@gmail.com> wrote:
> However, it seems like SCRAM is designed so
> that different hash functions can be substituted into it, so what I'm
> hoping is that we can keep SCRAM and just replace SCRAM-SHA-256 with
> SCRAM-WHATEVER when SHA-256 starts to look too weak.
Correct, SCRAM is an authentication method which can use different hashing
algorithms. There are current drafts for SCRAM-SHA-512 and SHA3-512 but they
are some way away from being standardized. If they become standards at some
point reasonable to extend our support, but until then there is no evidence
that what we have is insecure AFAIK.
https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha-512
https://datatracker.ietf.org/doc/html/draft-melnikov-scram-sha3-512
> What I find a bit surprising about Anbazhagan's question is that he
> asks about PBKDF2, which seems to be part of SCRAM already.
In scram_SaltedPassword() we perform PBKDF2 with HMAC as the pseudorandom
function.
--
Daniel Gustafsson
