In SCRAM (RFC5802, page 8) the client generates ClientKey to server, which is a derivation of the original password. This is communicated to the server in a secure fashion, which then performs a single hash operation H(ClientKey) and check if that's equal to StoredKey. That is, the client proves knowledge of something which, when hashed, equals something stored on the server.
I understand that SCRAM puts a lot of steps in between to include a challenge-response mechanism and never actually sending the real key over the wire and such. However, I don't to see how this is conceptually different from sending PlaintextPassword and comparing it to the server's H(PlaintextPassword). Note that this is a single hash operation, not the original PBKDF2 used to derive ClientKey in the first place. In SCRAM wouldn't the ClientKey be just as sensitive as PlaintextPassword? If an attacker were to gain knowledge of ClientKey then PlaintextPassword is not needed anymore. Since it's only secured in storage using a single hash operation, doesn't this make SCRAM in it's defined implementation vulnerable to rainbow tables on a leaked database?
Bonus question: would there be any problem with taking that single hash operation and replacing it with something stronger, like another round of PBKDF2 or even scrypt?
