Re: md5 auth procotol - can it be replayed?

Поиск
Список
Период
Сортировка
От Tom Lane
Тема Re: md5 auth procotol - can it be replayed?
Дата
Msg-id 23281.1462638517@sss.pgh.pa.us
обсуждение исходный текст
Ответ на Re: md5 auth procotol - can it be replayed?  (Stephen Frost <sfrost@snowman.net>)
Ответы Re: md5 auth procotol - can it be replayed?  (Nagy László Zsolt <gandalf@shopzeus.com>)
Список pgsql-admin
Stephen Frost <sfrost@snowman.net> writes:
> * Nagy L�szl� Zsolt (gandalf@shopzeus.com) wrote:
>> Am I missing something?

> There is a challenge/response compoent, so the md5 hash which is stored
> is not what is sent across the wire.  That prevents replay attacks when
> the attacker is simply sniffing the network.

Worth noting here is that the challenge key space is not all that huge,
so an attacker who captures a large number of challenge/response pairs
would have a good probability of being able to answer the next challenge
successfully.  However, if you're concerned about sniffing of your
database connections happening on that scale, you really ought to be using
SSL encryption which would make the whole thing moot.  In many cases,
capturing a database session would reveal lots of interesting data passing
over the wire whether or not you'd captured a usable password --- so I'd
call it fairly irresponsible to not be using SSL if you think your
connection is open to sniffing.

            regards, tom lane


В списке pgsql-admin по дате отправления:

Предыдущее
От: Stephen Frost
Дата:
Сообщение: Re: md5 auth procotol - can it be replayed?
Следующее
От: Nagy László Zsolt
Дата:
Сообщение: Re: md5 auth procotol - can it be replayed?