Re: You're on SecurityFocus.com for the cleartext passwords.
| От | Vince Vielhaber |
|---|---|
| Тема | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Дата | |
| Msg-id | Pine.BSF.4.21.0005061133170.13987-100000@paprika.michvhf.com обсуждение исходный текст |
| Ответ на | Re: You're on SecurityFocus.com for the cleartext passwords. (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Ответы |
Re: You're on SecurityFocus.com for the cleartext passwords.
Re: You're on SecurityFocus.com for the cleartext passwords. |
| Список | pgsql-hackers |
On Sat, 6 May 2000, Bruce Momjian wrote: > > We can do it with MD5. Sverre has offered up a java version of it > > that he wrote, I can convert it to C and make sure it at least runs > > on FreeBSD, IRIX, DOS/Windows, and HPUX 8-10. If it runs in unix then > > it should also run in OS/2. If we roll our own we should be safe. I > > can even include a simple test to make sure it works for all platforms > > we support. > > Yes, I seem to remember that was the issue. If we only did crypting on > the server, and allowed passwords to come cleartext from clients, then > we only needed crypting on the server. If we crypt in a one-way fashion > on the client before coming to the server using a random salt, we have > to do the other part of the crypting on the client too. > > In other words, it is the one-way nature of the password crypt we used > on the client that caused us to need the _exact_ same input string to > go into that crypt on the client and server, so we would need the same > crypt process in both places. > > Now, let me ask another, better question: > > Right now the password receives a random salt from the server, it uses > that salt to crypt the password, then send that back for comparison with > the clear-text password we store in the system. > > What if we: > store the password in pg_shadow like a unix-style password with salt > pass the random salt and the salt from pg_shadow to the client > client crypts the password twice through the routine: > once using the pg_shadow salt > another time using the random salt > > and passes that back to the server. The server can use the pg_shadow > copy of the password, use the random salt make a new version, and > compare the result. > > This has the huge advantage of not requiring any new crypting methods on > the client. It only requires the crypt to happen twice using two > different salts. > > Sounds like a winner. Comments? Overlycomplicated? What was your objection to MD5 again? Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from $16.00/moat Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ==========================================================================
В списке pgsql-hackers по дате отправления: