Re: WIP: SCRAM authentication

On Wed, Aug 12, 2015 at 9:36 PM, Stephen Frost <sfrost@snowman.net> wrote:
>> Yes, the SCRAM implementation could be buggy.  But also, OpenSSL has
>> repeatedly had security bugs that were due to forcing servers to
>> downgrade to older protocols.  I wouldn't like us to start growing
>> similar vulnerabilities, where SCRAM would have been just fine but an
>> attack that involves forcing a downgrade to MD5 is possible.
>
> I agree that such similar vulnerabilities would be unfortunate, but
> the way to avoid that is to not implement the actual hashing or
> encryption algorithms ourselves and to stick to the protocol as defined
> in the specification.

Nothing in that will protect us if the client can request a non-SCRAM
form of authentication.

>> I don't think you are quite correct about the scenario where pg_authid
>> is compromised.  Even if the hash stored there is functionally
>> equivalent to the password itself as far as this instance of
>> PostgreSQL is concerned, the same password may have been used for
>> other services, so cracking it has a purpose.
>
> I attempted to address that also by stating that, should an attacker
> compromise a system with the goal of gaining the cleartext password,
> they would attempt the following, in order:

What if they steal a pg_dump?  All of the password verifiers are
there, but the live system is not.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company