| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Benjamin Adida <ben(at)mit(dot)edu> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Vince Vielhaber <vev(at)michvhf(dot)com>, The Hermit Hacker <scrappy(at)hub(dot)org>, "Sverre H(dot) Huseby" <sverrehu(at)online(dot)no>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Date: | 2000-05-06 18:51:25 |
| Message-ID: | 200005061851.OAA20520@candle.pha.pa.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-hackers |
> Okay, my understanding was that the protocol would work as follows:
>
> - client requests login
> - server sends stored salt c1, and random salt c2.
> - client performs hash_c2(hash_c1(password)) and sends result to server.
> - server performs hash_c2(stored_pg_shadow) and compares with client
> submission.
> - if there's a match, there's successful login.
>
> This protocol will truly create a challenge-response where the communication
> is different at each login, and where sniffing one
> hash_c2(hash_c1(password)) doesn't give you any way to log in with a
> different c2.
Yes.
--
Bruce Momjian | http://www.op.net/~candle
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2000-05-06 18:54:22 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Bruce Momjian | 2000-05-06 18:50:59 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2000-05-06 18:54:22 | Re: You're on SecurityFocus.com for the cleartext passwords. |
| Previous Message | Bruce Momjian | 2000-05-06 18:50:59 | Re: You're on SecurityFocus.com for the cleartext passwords. |