In an authentication method I am using an auth-framework which runs an implementation of CRA which forwards salt (with key length / iterations), challenge to the client.
With this information the client can use the stored & salted password (which was put in by the user on a manual and offline way) to create a signature (uses HMAC) which is then returned to the server where it is being verified.
I am generating unique salts using the bcrypt library. My question is: The developers of the auth framework state that this is a very safe method and does not require TLS since the actual "secret" never travels over "the wire" (meaning being forwarded to the client).
My concerns however are, if it is safe to send the salt over to the client?
