From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | reducing our reliance on MD5 |
Date: | 2015-02-11 00:21:09 |
Message-ID: | CA+TgmoaWdkNBT4mNZ+wf=fgjd7aV9bq7NtsvCha7yeoX0LyQPg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
There have been a few previous attempts to wean PostgreSQL off of MD5.
Back in 2012, Heikki proposed using SCRAM for our next-generation
authentication mechanism:
http://www.postgresql.org/message-id/507550BD.2030401@vmware.com
That seems likely to be a good idea, but nobody's come up with a
patch. Peter Bex *did* come up with a patch to replace MD5
authentication with "bcrypt", which I guess is based on Blowfish:
http://www.postgresql.org/message-id/20121227144638.GC610@frohike.homeunix.org
Although the patch was described as relatively easy to write, it never
went anywhere, because it *replaced* MD5 authentication with bcrypt,
which would be a big problem for existing clients. It seems clear
that we should add something new and not immediately kill off what
we've already got, so that people can transition smoothly. An idea I
just had today is to keep using basically the same system that we are
currently using for MD5, but with a stronger hash algorithm, like
SHA-1 or SHA-2 (which includes SHA-224, SHA-256, SHA-384, and
SHA-512). Those are slower, but my guess is that even SHA-512 is not
enough slower for anybody to care very much, and if they do, well
that's another reason to make use of the new stuff optional.
Maybe we could make the authentication handshake pluggable:
typedef (*password_encryption_fn)(const char *passwd, const char
*salt, size_t salt_len, char *buf); // like pg_md5_encrypt
extern void register_encrypted_authentication_type(char *name,
password_encryption_fn);
Then we could add a _PG_init() function to pgcrypto that would enable
the use of whatever pgcrypto has got to offer as authentication
handshake methods. This has a couple of advantages. First, we don't
have to suck pgcrypto into core, something we've been reluctant to do;
second, if MD5 or any successor algorithm is shown to be insecure,
users can just drop in a new one, either provided by us or one they
write themselves or something in an external library they have and can
integrate to.
There are a few complications:
1. Each encryption algorithm requires a wire-protocol constant to
identify it, and the client and the server have to agree on that
value. So we'd have to define constants for whatever algorithms we
want to provide via the core distribution, and possibly either
maintain a registry of other values or at least set aside a space
(values > 1e6, maybe) that is reserved for use by extensions.
2. We'd have to figure out how to get support for the new algorithms
into libpq. This actually seems a good bit harder than doing it on
the server-side, because I don't think libpq has any dynamic loading
facilities the way the server does.
Thoughts?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Geoghegan | 2015-02-11 00:32:20 | Re: reducing our reliance on MD5 |
Previous Message | Tatsuo Ishii | 2015-02-11 00:07:40 | Re: Typo in logicaldecoding.sgml |