Re: [HACKERS] Re: Hashing passwords (was Updated TODO list)
| От | Gene Sokolov |
|---|---|
| Тема | Re: [HACKERS] Re: Hashing passwords (was Updated TODO list) |
| Дата | |
| Msg-id | 00a901becc6b$0730fad0$0d8cdac3@aktrad.ru обсуждение исходный текст |
| Ответ на | Re: [HACKERS] Re: Hashing passwords (was Updated TODO list) (Louis Bertrand <louis@bertrandtech.on.ca>) |
| Список | pgsql-hackers |
I looked it up. One problem with this protocol imho is extensive use of modular exponentiation. This operation is heavy. The login procedure would be cpu-intensive. Second - the protocol covers secure authentication. Data is sent unencrypted anyway. I think it is not wise to spending a lot of effort on secure login without securing the data channel. "Building secure PgSQL" would be an interesting subject of discussion though. Gene Sokolov. From: Mattias Kregert <matti@algonet.se> > Another nice thing with SRP is that it is a mutual authentication. A > third party cannot say "hey i'm the server, please connect to me. Sure, > your password is correct, start sending queries... INSERT? ok, sure, > INSERT 1 1782136. go on..." and steal a lot of data... the SRP client > always knows if it is talking to the real thing. No more third party > attacks... > http://srp.stanford.edu/srp/others.html > > /* m */
В списке pgsql-hackers по дате отправления: