| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Nagy László Zsolt <gandalf(at)shopzeus(dot)com>, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: md5 auth procotol - can it be replayed? |
| Date: | 2016-05-07 16:28:37 |
| Message-ID: | 23281.1462638517@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Nagy Lszl Zsolt (gandalf(at)shopzeus(dot)com) wrote:
>> Am I missing something?
> There is a challenge/response compoent, so the md5 hash which is stored
> is not what is sent across the wire. That prevents replay attacks when
> the attacker is simply sniffing the network.
Worth noting here is that the challenge key space is not all that huge,
so an attacker who captures a large number of challenge/response pairs
would have a good probability of being able to answer the next challenge
successfully. However, if you're concerned about sniffing of your
database connections happening on that scale, you really ought to be using
SSL encryption which would make the whole thing moot. In many cases,
capturing a database session would reveal lots of interesting data passing
over the wire whether or not you'd captured a usable password --- so I'd
call it fairly irresponsible to not be using SSL if you think your
connection is open to sniffing.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nagy László Zsolt | 2016-05-07 17:53:07 | Re: md5 auth procotol - can it be replayed? |
| Previous Message | Stephen Frost | 2016-05-07 15:51:24 | Re: md5 auth procotol - can it be replayed? |