On Wed, Jun 26, 2024 at 12:11 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> It is not, and I doubt we have any interest in dramatically expanding
> the set of allowed password hashes. Adding SCRAM was enough work and
> created a lot of client-v-server and cross-version incompatibility
> already; nobody is in a hurry to repeat that. Moreover, I know of
> no reason to think that SHA-256 isn't perfectly adequate.
If history is any guide, every algorithm will eventually look too
weak. It seems inevitable that we're going to have to keep changing
algorithms as time passes. However, it seems like SCRAM is designed so
that different hash functions can be substituted into it, so what I'm
hoping is that we can keep SCRAM and just replace SCRAM-SHA-256 with
SCRAM-WHATEVER when SHA-256 starts to look too weak.
What I find a bit surprising about Anbazhagan's question is that he
asks about PBKDF2, which seems to be part of SCRAM already.[1] In
fact, I think all the things he lists are key derivation functions,
not hash functions. I'm far from a cryptography expert, but it seems
surprising to me that somebody would be concerned about the KDF rather
than the hash function. We know that people get concerned about code
that still uses MD5, for example, or SHA-1, but this is the first time
I can remember someone expressing a concern about a KDF.
Anbazhagan, or anyone, is there some reason to think that the PBKDF2
approach used by SCRAM is a problem?
--
Robert Haas
EDB: http://www.enterprisedb.com
[1]
https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism#Password-based_derived_key,_or_salted_password
