How to verify the salt in the SCRAM protocol?
I've recently read about the SCRAM authentication protocol. One of the stated design motivations is to support mutual authentication, but how does the client verify that the salt and cost parameters provided by the server are correct?
If the server provides the same salt as for another user it might reveal that they share a password, and if the server provides very low cost parameters then the hash would become easier to crack. This might enable the server to cheat during the mutual authentication, and possibly for a malicious server to gain access to user credentials.
This issue could trivially be solved by letting the client ignore what the server says and use a static cost parameter and a deterministic salt decided by the client, but then we would no longer be following the specification. If we want use the values provided by the server, what is a good way to go about that? There must be a way for the client to verify that these are the same parameters as used during account registration, I just don't seem to be able to find any info on how.
