Re: So we're in agreement....

On Sun, 7 May 2000, Tom Lane wrote:

> Vince Vielhaber <vev@michvhf.com> writes:
> > My intent was not to send the username, but let the server figure it 
> > out by the response.
> 
> That would be a neat trick.  How will you do it?  MD5 is not reversible.

CLIENT: md5(salt_from_server + md5(username + md5(password)))

SERVER: md5(salt_from_server + md5(username + stored_password))

The server runs thru all available usernames using the above algorithm.

> I'm still of the opinion that anyone who is really concerned about
> sniffing attacks ought to be using SSL, because protecting just their
> password and not the data that will be exchanged later in the session is
> unwise.  So I'm not really excited about adding anti-sniffing frammishes
> like this one.  We've got a good scheme for the password; let's be
> careful about adding "improvements" that won't carry their weight in
> the real world.  There's no such thing as a single security scheme that
> addresses every possible vulnerability.  Extending one part of your
> security arsenal to partially solve problems that are better solved
> by a different tool is just wasting time.

Agreed.

Vince.
-- 
==========================================================================
Vince Vielhaber -- KA8CSH    email: vev@michvhf.com    http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from
$16.00/moat Pop4 Networking       Online Campground Directory    http://www.camping-usa.com      Online Giftshop
Superstore   http://www.cloudninegifts.com
 
==========================================================================