Re: Is md5 really more secure than crypt?

Tom Lane wrote:
>
> MD5 is not commutative in this sense, and it might be that any hash
> algorithm that is could not be cryptographically strong.  But we could
> look around and see what's out there...
>

I've never come across a commutative hash, but what you describe sounds
similar to the way asymmetric (i.e. public key) algorithms work. But
even with SSL, etc, the server certificate is normally encrypted on disk
to prevent compromise in the event someone gains local access. The
problem then becomes one of bootstrapping the system -- SSL web servers
with encrypted certificates need a warm body around when they boot to
type in the password used to encrypt the certificate.

My take is that if we're really concerned with the scenario described,
we'd need something similar. Have the dba type a password when the
postmaster is started, use that password to decrypt the stored encrypted
hashed users' passwords. Everything else stays pretty much as is. The
question remains as to whether it is really worth all the trouble,
especially since the server needs to be compromised in the first place
before the current behavior is a problem.

(Except, as I've mentioned before, security gurus would prefer we use
HMAC instead of a simple hash for authentication -- see:
     http://www-cse.ucsd.edu/users/mihir/papers/kmd5.pdf
     and
     http://www.faqs.org/rfcs/rfc2104.html
if you're curious. It basically involves using a hash like md5 or sha1
in a specific way. I've implemented this before and would be happy to
help if there is interest. I think there is even an HMAC function in
contrib/pgcrypto now.)

Joe