Home > mailing lists

Re: reducing our reliance on MD5 - Mailing list pgsql-hackers

From	Claudio Freire
Subject	Re: reducing our reliance on MD5
Date	February 12, 2015 00:31:00
Msg-id	CAGTBQpZYFPSDe-Upm+iBhQZHQKHMybzdG8ta6iPOn+knExqFgw@mail.gmail.com Whole thread Raw
In response to	Re: reducing our reliance on MD5 (Heikki Linnakangas <hlinnakangas@vmware.com>)
Responses	Re: reducing our reliance on MD5 (Claudio Freire <klaussfreire@gmail.com>) Re: reducing our reliance on MD5 (Heikki Linnakangas <hlinnakangas@vmware.com>)
List	pgsql-hackers

Tree view

On Wed, Feb 11, 2015 at 5:25 PM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> On 02/11/2015 06:35 AM, Claudio Freire wrote:
>>
>> Usually because handshakes use a random salt on both sides. Not sure
>> about pg's though, but in general collision strength is required but
>> not slowness, they're not bruteforceable.
>
>
> To be precise: collision resistance is usually not important for hashes used
> in authentication handshakes. Not for our MD5 authentication method anyway;
> otherwise we'd be screwed. What you need is resistance to pre-image attacks.

AFAIK, if I find a colliding string to the MD5 stored in pg_authid, I
can specify that to libpq and get authenticated.

Am I missing something?

pgsql-hackers by date:

From: Robert Haas
Date: 11 February 2015, 23:49:26
Subject: Re: Parallel Seq Scan

From: Claudio Freire
Date: 12 February 2015, 00:37:40
Subject: Re: reducing our reliance on MD5

Re: reducing our reliance on MD5 - Mailing list pgsql-hackers

Previous

Next