Re: [HACKERS] SCRAM salt length
От | Aleksander Alekseev |
---|---|
Тема | Re: [HACKERS] SCRAM salt length |
Дата | |
Msg-id | 20170816151028.GA13062@e733.localdomain обсуждение исходный текст |
Ответ на | [HACKERS] SCRAM salt length (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>) |
Ответы |
Re: [HACKERS] SCRAM salt length
|
Список | pgsql-hackers |
He Peter, > The SCRAM salt length is currently set as > > /* length of salt when generating new verifiers */ > #define SCRAM_DEFAULT_SALT_LEN 12 > > without further comment. > > I suspect that this length was chosen based on the example in RFC 5802 > (SCRAM-SHA-1) section 5. But the analogous example in RFC 7677 > (SCRAM-SHA-256) section 3 uses a length of 16. Should we use that instead? Maybe this length was chosen just because it becomes a 16-characters string after base64encode. If I understand correctly RFC 5802 and RFC 7677 don't say much about the required or recommended length of the salt. I personally believe that 2^96 of possible salts is consistent with both RFCs and should be enough in practice. -- Best regards, Aleksander Alekseev
В списке pgsql-hackers по дате отправления: