From: | <korryd(at)enterprisedb(dot)com> |
---|---|
To: | "John D(dot) Burger" <john(at)mitre(dot)org> |
Cc: | "pgsql-general postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: How to allow users to log on only from my application |
Date: | 2007-02-01 21:06:47 |
Message-ID: | 1170364007.6941.213.camel@sakai.localdomain |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> > Say that your application offers a way for each user to set/change
> > his own password.
> >
> > When I (using your application) change my password, you could
> > combine my new password with a secret value and then send the
> > result to the PG server (so now the PG server thinks that my
> > password is my_password+your_secret).
>
> This is a special case of (2,2) secret sharing:
>
> http://en.wikipedia.org/wiki/Secret_sharing
>
> Here the secret is the actual password, a+b, shared into two parts, a
> and b. The above scheme suffers from the problem that the user now
> knows quite a lot about the secret.
Hmmm... how would the user know anything about the secret unless he
could somehow get to the resulting combined password?
For example, if my password is "chocolate" and the application secret is
"fudge", I can't recover any part of the combination "chocolate-fudge"
unless I can:
a) see "chocolate-fudge" in the network data stream (assume that I can't
because Andrus is smart enough to avoid sending cleartext passwords over
the net)
b) see "chocolate-fudge" in the PG password table (again, Andrus is
smart enough to use MD5 authentication so "chocolate-fudge" is never
stored on the server)
> If this is an issue, there are
> more sophisticated combining schemes that give the user no advantage
> over someone who knows neither half of the secret.
Absolutely, but I wanted to get the basic idea across. Andrus'
application knows the correct password for each user (or, more
precisely, his application knows how to derive the correct password from
the user-supplied password - Andrus doesn't have to store each password
on the client side or anything like that) so his application can log in,
but the users don't know any valid passwords so they can't get into the
database with a tool like PgAdmin.
So, in your opinion, this isn't a crazy idea? It should work? But it
could be made more secure if Andrus is particularly paranoid.
-- Korry
P.S. Thanks for the feedback.
From | Date | Subject | |
---|---|---|---|
Next Message | Scott Marlowe | 2007-02-01 21:08:14 | Re: Production systems beware: U.S. Daylight Savings Time comes at a new time this year |
Previous Message | Dave Page | 2007-02-01 20:48:27 | Re: I "might" have found a bug on 8.2.1 win32 |