Re: Some thoughts about SCRAM implementation

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Magnus Hagander <magnus(at)hagander(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Álvaro Hernández Tortosa <aht(at)8kdata(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Some thoughts about SCRAM implementation
Date: 2017-04-12 09:13:03
Message-ID: ee93b36d-59d2-35e6-dd0c-fb7c9cc65e0c@iki.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 04/12/2017 11:22 AM, Magnus Hagander wrote:
> On Wed, Apr 12, 2017 at 3:25 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
>> And which enterprises are using SSL without certificates? And I thought
>> channel binding required certificates anyway, e.g.:
>>
>> https://en.wikipedia.org/wiki/Salted_Challenge_Response_
>> Authentication_Mechanism#Channel_binding
>>
>> For instance, for the tls-server-end-point channel binding, it is
>> the
>> server's TLS certificate.
>
> AFAIK it does require the TLS certifificates, but it does not require TLS
> certificate *validation*. You can use channel binding with just self-signed
> certs.

tls-server-end-point channel binding type relies on certificates. But
SCRAM uses "tls-unique" by default, and it does not use certificates.
It's a bit weird that the wikipedia article uses tls-server-end-point as
the example, I don't know why anyone would use tls-server-end-point with
SCRAM.

> That said, I stand by my comment that I don't think it's the enterprises
> that need or want the channel binding. If they care about it, they have
> already put certificate validation in place, and it won't buy them anything.
>
> Because channel binding also only secures the authentication (SCRAM), not
> the actual contents and commands that are then sent across the channel,
> AFAIK?

TLS protects the contents and the commands. The point of channel binding
is to defeat a MITM attack, where the client connects to a malicious
server, using TLS, which then connects to the real server, using another
TLS connection. Channel binding will detect that the client and the real
server are not communicating over the same TLS connection, but two
different TLS connections, and make the authentication fail.

SSL certificates, with validation, achieves the same, but channel
binding achieves it without the hassle of certificates.

- Heikki

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Magnus Hagander 2017-04-12 09:25:43 Re: Some thoughts about SCRAM implementation
Previous Message Sergey Mirvoda 2017-04-12 08:31:38 Re: Merge join for GiST