Quick Links

md5 again

From:	Vince Vielhaber <vev(at)michvhf(dot)com>
To:	pgsql-hackers(at)postgreSQL(dot)org
Subject:	md5 again
Date:	2000-07-11 14:50:20
Message-ID:	Pine.BSF.4.21.0007111036310.97059-100000@paprika.michvhf.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Since I broke my table on hub and am awaiting assistance I'm shifting
away from the website temporarily and back to the md5 stuff. In going
over the previous conversations I've come up with the following:

The client can be sending the password in either plain text or in
hashed form with one of the two scenarios for a login process:

direction what
----------------------------------------------
CL -> PG username
PG -> CL random salt
CL -> PG plaintext passwd

CL -> PG username
PG -> CL random salt
CL -> PG encrypted passwd

----------------------------------------------

When PG receives the password, it doesn't know if the password is
encrypted or not. It checks first plaintext matching, then encrypted
matching using the random salt it sent to CL.

---------------------------------------------

Possible encryption methods:

MD5(password+salt)

MD5(MD5(password) + MD5(salt))

MD5(password+salt)

MD5(MD5(username+password)+salt)

MD5(MD5(username+password)+MD5(salt))

MD5(MD5(username+password+salt))

and many others.

---------------------------------------------

Is there a preference to the method used?

Also while thinking about this and the vulnerability of the wire itself,
I've also come up with something that may enhance the login security.

If CL sends the MD5 of the username rather than the plaintext username,
only CL and PG will know what the username is. PG will know it by
comparing it with the MD5 of every username in pg_shadow. So even if the
wire is being sniffed the unhashed username can be used in the password's
encryption along with the salt sent by PG. This method will take longer
for a user to log in, but the login process is only per session, not per
SQL call.

Comments?

Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev(at)michvhf(dot)com http://www.pop4.net
128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================

Responses

Re: md5 again at 2000-07-11 15:00:04 from Bruce Momjian
Re: md5 again at 2000-07-11 16:32:16 from Tom Lane
Re: md5 again at 2000-07-11 16:51:46 from Karel Zak

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Bruce Momjian	2000-07-11 15:00:04	Re: md5 again
Previous Message	Bruce Momjian	2000-07-11 14:49:20	Re: AW: update on TOAST status'