Re: MD5 authentication needs help
| От | Heikki Linnakangas |
|---|---|
| Тема | Re: MD5 authentication needs help |
| Дата | |
| Msg-id | 54F759DE.2020109@iki.fi обсуждение исходный текст |
| Ответ на | Re: MD5 authentication needs help (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: MD5 authentication needs help
|
| Список | pgsql-hackers |
On 03/04/2015 08:59 PM, Stephen Frost wrote: > * Heikki Linnakangas (hlinnaka@iki.fi) wrote: >> The big difference between SRP and SCRAM is that if you eavesdrop >> the SCRAM handshake, you can use that information to launch a >> brute-force or dictionary attack. With SRP, you cannot do that. That >> makes it relatively safe to use weak passwords with SRP, which is >> not the case with SCRAM (nor MD5) > > Thanks for the info! > > Looking around a bit, one issue with SRP (as pointed out by Simon > Josefsson, the author of the SCRAM implementation for GNU SASL) is that > the username is included in the verifier (similar to our implementation > today with MD5) meaning that the stored data on the server is no longer > valid if the username is changed. Obviously, our users are used to > that, but it's still something to be considered. Yes, good point, that's yet another thing that needs to be considered. > One question though- isn't the iteration option to SCRAM intended to > address the dictionary/brute force risk? SRP uses an exponentiation > instead of iterations but it's unclear to me if one is really strictly > better or worse than the other (nor have I found any discussion of that > comparison) for this vector. Not sure what you mean. Yes, the iterations option in SCRAM is designed to make brute forcing more expensive. For both a captured authentication handshake, or if you steal a backup tape. I'm not sure how expensive a brute force attack on SRP would be, using a stolen backup tape. There doesn't seem to be an iterations count similar to SCRAM. But note that SRP's resistance to brute-forcing the authentication handshake is of a different kind. It's not just expensive, but outright impossible. (Don't ask me how that works; I'm not well-versed in the maths involved.) That's a big advantage because it means that it's OK to use a fairly weak password like 'foobar123' that would be trivially cracked with a dictionary attack. (You can still connect to the server and try different passwords, but the server can log that and throttle how many guesses / minute it let's you do) - Heikki
В списке pgsql-hackers по дате отправления: