Poco::RemotingNG::TCP

class SCRAMAuthenticator

File Information

Library: RemotingNG/TCP
Package: TCP
Header: Poco/RemotingNG/TCP/SCRAMAuthenticator.h

Description

This abstract Authenticator implementation provides the SCRAM-SHA-1 (Salted Challenge Response Authentication Mechanism with SHA-1) authentication mechanism.

SCRAM specifies the authentication message exchange between the client and the server. It uses the PBKDF2 algorithm from the Public-Key Cryptography Standards (PKCS) and has the following features:

  • The password is never transmitted in plain text, only a hash of the password is transmitted from client to server.
  • The server does not need to store the passwords in plain text (or encrypted); salted hashes of the passwords are sufficient.
  • The protocol allows for authenticating the client against the server and also authenticating the server against the client.

Since the Remoting framework does not provide user account and password storage, this class must be subclassed and the following methods must be implemented:

Inheritance

Direct Base Classes: Poco::RemotingNG::Authenticator

All Base Classes: Poco::RefCountedObject, Poco::RemotingNG::Authenticator

Member Summary

Member Functions: authenticate, computeClientProof, computeServerSignature, createNonce, digestToBinaryString, digestToHexString, hashForUser, newConversationID, saltForUser

Inherited Functions: authenticate, duplicate, referenceCount, release

Nested Classes

struct Conversation protected

 

Types Aliases

ConversationCache protected

using ConversationCache = Poco::ExpireCache < Poco::UInt32, Conversation >;

Ptr

using Ptr = Poco::AutoPtr < SCRAMAuthenticator >;

Enumerations

State protected

STATE_INIT

STATE_START

STATE_CLIENT_AUTH

Constructors

SCRAMAuthenticator

SCRAMAuthenticator();

Creates the SCRAMAuthenticator.

Destructor

~SCRAMAuthenticator virtual

~SCRAMAuthenticator();

Destroys the SCRAMAuthenticator.

Member Functions

authenticate virtual

AuthenticateResult authenticate(
    const Credentials & credentials,
    Poco::UInt32 conversationID
);

See also: Poco::RemotingNG::Authenticator::authenticate()

computeClientProof static

static std::string computeClientProof(
    const std::string & username,
    const std::string & clientNonce,
    const std::string & salt,
    int iterations,
    const std::string & saltedPassword,
    const std::string & serverNonce,
    std::string & clientAuthMessage
);

computeServerSignature static

static std::string computeServerSignature(
    const std::string & saltedPassword,
    const std::string & clientAuthMessage
);

createNonce static

static std::string createNonce();

digestToBinaryString static

static std::string digestToBinaryString(
    Poco::DigestEngine & engine
);

digestToHexString static

static std::string digestToHexString(
    Poco::DigestEngine & engine
);

hashForUser protected virtual

virtual std::string hashForUser(
    const std::string & username
) = 0;

Returns the PBKDF2-hashed password for the given user.

Note that the returned string must contain the raw bytes of the hash, not the hex-encoded or base64-encoded hash.

newConversationID protected

Poco::UInt32 newConversationID();

Generates a new Conversation ID.

saltForUser protected virtual

virtual std::string saltForUser(
    const std::string & username,
    int & iterations
) = 0;

Returns the salt for hashing the given user's password, as well as the number of iterations for the PBKDF2 algorithm.

Returns an empty string if the user does not exist.