Slow scram sha 1 auth

Smack Smack Dev
1

Can Scram-sha-1 be imporved to make it more fast …

after the challange is rcvd from server it takes a while to respond back to the server .

found out hi is taking more time

private static byte[] hi(String str, byte[] salt, int iterations) throws SmackException {

byte[] key = str.getBytes();
// U1 := HMAC(str, salt + INT(1))
byte[] u = hmac(key, ByteUtils.concact(salt, ONE));
byte[] res = u.clone();
//WITH 4096 *iterations it takes around 3-4 secs not sure if this can be improved *

  • for (int i = 1; i < iterations; i++) {*

  • u = hmac(key, u);
    for (int j = 0; j < u.length; j++) {*

  • res[j] ^= u[j];
    }*

  • }*

FileLog.e(“SCRAM WA”,“hi-4”);
return res;
}

2

That’s basically a “feature” of SCRAM. The hi() function will not be called if the server sends the same salt and Smack finds the cacheKey in it’s Cache.

3

Thanks @Flow I will see at server side how can i send the same salt however sending same salt can have any security risk ? can it be used for reply attacks ? :confused: it just a question that came to my mind also it would be great if we can have XEP-0305: XMPP Quickstart this will really help in fast auths on reconnection.