| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: MD5 authentication needs help |
| Date: | 2015-03-04 19:15:42 |
| Message-ID: | 54F759DE.2020109@iki.fi |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 03/04/2015 08:59 PM, Stephen Frost wrote:
> * Heikki Linnakangas (hlinnaka(at)iki(dot)fi) wrote:
>> The big difference between SRP and SCRAM is that if you eavesdrop
>> the SCRAM handshake, you can use that information to launch a
>> brute-force or dictionary attack. With SRP, you cannot do that. That
>> makes it relatively safe to use weak passwords with SRP, which is
>> not the case with SCRAM (nor MD5)
>
> Thanks for the info!
>
> Looking around a bit, one issue with SRP (as pointed out by Simon
> Josefsson, the author of the SCRAM implementation for GNU SASL) is that
> the username is included in the verifier (similar to our implementation
> today with MD5) meaning that the stored data on the server is no longer
> valid if the username is changed. Obviously, our users are used to
> that, but it's still something to be considered.
Yes, good point, that's yet another thing that needs to be considered.
> One question though- isn't the iteration option to SCRAM intended to
> address the dictionary/brute force risk? SRP uses an exponentiation
> instead of iterations but it's unclear to me if one is really strictly
> better or worse than the other (nor have I found any discussion of that
> comparison) for this vector.
Not sure what you mean. Yes, the iterations option in SCRAM is designed
to make brute forcing more expensive. For both a captured authentication
handshake, or if you steal a backup tape.
I'm not sure how expensive a brute force attack on SRP would be, using a
stolen backup tape. There doesn't seem to be an iterations count similar
to SCRAM. But note that SRP's resistance to brute-forcing the
authentication handshake is of a different kind. It's not just
expensive, but outright impossible. (Don't ask me how that works; I'm
not well-versed in the maths involved.) That's a big advantage because
it means that it's OK to use a fairly weak password like 'foobar123'
that would be trivially cracked with a dictionary attack. (You can still
connect to the server and try different passwords, but the server can
log that and throttle how many guesses / minute it let's you do)
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2015-03-04 19:16:25 | Re: MD5 authentication needs help |
| Previous Message | Stephen Frost | 2015-03-04 18:59:28 | Re: MD5 authentication needs help |