Re: md5 auth procotol - can it be replayed? - Mailing list pgsql-admin

From Tom Lane
Subject Re: md5 auth procotol - can it be replayed?
Date
Msg-id 23281.1462638517@sss.pgh.pa.us
Whole thread Raw
In response to Re: md5 auth procotol - can it be replayed?  (Stephen Frost <sfrost@snowman.net>)
Responses Re: md5 auth procotol - can it be replayed?
List pgsql-admin
Stephen Frost <sfrost@snowman.net> writes:
> * Nagy L�szl� Zsolt (gandalf@shopzeus.com) wrote:
>> Am I missing something?

> There is a challenge/response compoent, so the md5 hash which is stored
> is not what is sent across the wire.  That prevents replay attacks when
> the attacker is simply sniffing the network.

Worth noting here is that the challenge key space is not all that huge,
so an attacker who captures a large number of challenge/response pairs
would have a good probability of being able to answer the next challenge
successfully.  However, if you're concerned about sniffing of your
database connections happening on that scale, you really ought to be using
SSL encryption which would make the whole thing moot.  In many cases,
capturing a database session would reveal lots of interesting data passing
over the wire whether or not you'd captured a usable password --- so I'd
call it fairly irresponsible to not be using SSL if you think your
connection is open to sniffing.

            regards, tom lane


pgsql-admin by date:

Previous
From: Stephen Frost
Date:
Subject: Re: md5 auth procotol - can it be replayed?
Next
From: Nagy László Zsolt
Date:
Subject: Re: md5 auth procotol - can it be replayed?