| From: | "Gene Sokolov" <hook(at)aktrad(dot)ru> |
|---|---|
| To: | "Mattias Kregert" <matti(at)algonet(dot)se> |
| Cc: | <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Re: [HACKERS] Re: Hashing passwords (was Updated TODO list) |
| Date: | 1999-07-12 13:32:46 |
| Message-ID: | 00a901becc6b$0730fad0$0d8cdac3@aktrad.ru |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I looked it up.
One problem with this protocol imho is extensive use of modular
exponentiation. This operation is heavy. The login procedure would be
cpu-intensive.
Second - the protocol covers secure authentication. Data is sent unencrypted
anyway. I think it is not wise to spending a lot of effort on secure login
without securing the data channel. "Building secure PgSQL" would be an
interesting subject of discussion though.
Gene Sokolov.
From: Mattias Kregert <matti(at)algonet(dot)se>
> Another nice thing with SRP is that it is a mutual authentication. A
> third party cannot say "hey i'm the server, please connect to me. Sure,
> your password is correct, start sending queries... INSERT? ok, sure,
> INSERT 1 1782136. go on..." and steal a lot of data... the SRP client
> always knows if it is talking to the real thing. No more third party
> attacks...
> http://srp.stanford.edu/srp/others.html
>
> /* m */
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Maarten Boekhold | 1999-07-12 13:34:39 | Re: [HACKERS] Fwd: Joins and links |
| Previous Message | Bruce Momjian | 1999-07-12 13:31:41 | Re: [HACKERS] 6.5.1 |