SCRAM authentication

SCRAM (Salted Challenge Response Authentication Mechanism) is a secure challenge-response authentication method that allows clients to prove their identity without transmitting the actual password over the network. It is defined as part of the MQTT 5.0 specification and provides stronger security guarantees than Basic authentication.

Unlike Basic authentication, where credentials are sent directly in the CONNECT packet, SCRAM performs a multi-step handshake:

1. The client sends an initial authentication message with the username.
2. The broker responds with a server challenge (a random nonce and salt).
3. The client computes a cryptographic response using the password and challenge data.
4. The broker verifies the response without ever receiving the plaintext password.

This approach protects against replay attacks and password interception even on unencrypted connections.