md5 again - Mailing list pgsql-hackers
| From | Vince Vielhaber |
|---|---|
| Subject | md5 again |
| Date | |
| Msg-id | Pine.BSF.4.21.0007111036310.97059-100000@paprika.michvhf.com Whole thread Raw |
| Responses |
Re: md5 again
(Bruce Momjian <pgman@candle.pha.pa.us>)
Re: md5 again (Tom Lane <tgl@sss.pgh.pa.us>) Re: md5 again (Karel Zak <zakkr@zf.jcu.cz>) |
| List | pgsql-hackers |
Since I broke my table on hub and am awaiting assistance I'm shifting away from the website temporarily and back to the md5 stuff. In going over the previous conversations I've come up with the following: The client can be sending the password in either plain text or in hashed form with one of the two scenarios for a login process: direction what ---------------------------------------------- CL -> PG username PG -> CL random salt CL -> PG plaintext passwd CL -> PG username PG -> CL random salt CL -> PG encrypted passwd ---------------------------------------------- When PG receives the password, it doesn't know if the password is encrypted or not. It checks first plaintext matching, then encrypted matching using the random salt it sent to CL. --------------------------------------------- Possible encryption methods: MD5(password+salt) MD5(MD5(password) + MD5(salt)) MD5(password+salt) MD5(MD5(username+password)+salt) MD5(MD5(username+password)+MD5(salt)) MD5(MD5(username+password+salt)) and many others. --------------------------------------------- Is there a preference to the method used? Also while thinking about this and the vulnerability of the wire itself, I've also come up with something that may enhance the login security. If CL sends the MD5 of the username rather than the plaintext username, only CL and PG will know what the username is. PG will know it by comparing it with the MD5 of every username in pg_shadow. So even if the wire is being sniffed the unhashed username can be used in the password's encryption along with the salt sent by PG. This method will take longer for a user to log in, but the login process is only per session, not per SQL call. Comments? Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net128K ISDN from $22.00/mo - 56K Dialup from $16.00/moat Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ==========================================================================
pgsql-hackers by date: