Postgres Pro
Downloads
Home   >   mailing lists

Re: You're on SecurityFocus.com for the cleartext passwords. - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: You're on SecurityFocus.com for the cleartext passwords.
Date
Msg-id 200005061517.LAA10084@candle.pha.pa.us
Whole thread Raw
In response to Re: You're on SecurityFocus.com for the cleartext passwords.  (Vince Vielhaber <vev@michvhf.com>)
Responses Re: You're on SecurityFocus.com for the cleartext passwords.  (Vince Vielhaber <vev@michvhf.com>)
Re: You're on SecurityFocus.com for the cleartext passwords.  ("Sverre H. Huseby" <sverrehu@online.no>)
Re: You're on SecurityFocus.com for the cleartext passwords.  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tree view 
> > The goal here was to make wire sniffing unproductive, and because the
> > server supplied the salt to be used by the client, you can't just
> > re-use a sniffed password you saw on the wire.
> > 
> > At least this is my recollection of the problem.
> > 
> > 
> 
> We can do it with MD5.  Sverre has offered up a java version of it
> that he wrote, I can convert it to C and make sure it at least runs
> on FreeBSD, IRIX, DOS/Windows, and HPUX 8-10.  If it runs in unix then
> it should also run in OS/2.  If we roll our own we should be safe.  I
> can even include a simple test to make sure it works for all platforms
> we support.

Yes, I seem to remember that was the issue.  If we only did crypting on
the server, and allowed passwords to come cleartext from clients, then
we only needed crypting on the server.  If we crypt in a one-way fashion
on the client before coming to the server using a random salt, we have
to do the other part of the crypting on the client too.

In other words, it is the one-way nature of the password crypt we used
on the client that caused us to need the _exact_ same input string to
go into that crypt on the client and server, so we would need the same
crypt process in both places.

Now, let me ask another, better question:

Right now the password receives a random salt from the server, it uses
that salt to crypt the password, then send that back for comparison with
the clear-text password we store in the system.

What if we:store the password in pg_shadow like a unix-style password with saltpass the random salt and the salt from
pg_shadowto the clientclient crypts the password twice through the routine:    once using the pg_shadow salt    another
timeusing the random salt
 

and passes that back to the server.  The server can use the pg_shadow
copy of the password, use the random salt make a new version, and
compare the result.

This has the huge advantage of not requiring any new crypting methods on
the client.  It only requires the crypt to happen twice using two
different salts.

Sounds like a winner.  Comments?

--  Bruce Momjian                        |  http://www.op.net/~candle pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026

pgsql-hackers by date:

Previous
From: Vince Vielhaber
Date:
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.
Next
From: Vince Vielhaber
Date:
Subject: Re: You're on SecurityFocus.com for the cleartext passwords.