Re: [HACKERS] Re: Hashing passwords (was Updated TODO list)
Gene Sokolov <hook@aktrad.ru>
From: "Gene Sokolov" <hook@aktrad.ru>
To: "Mattias Kregert" <matti@algonet.se>
Cc: <pgsql-hackers@postgreSQL.org>
Date: 1999-07-12T13:32:46Z
Lists: pgsql-hackers
I looked it up. One problem with this protocol imho is extensive use of modular exponentiation. This operation is heavy. The login procedure would be cpu-intensive. Second - the protocol covers secure authentication. Data is sent unencrypted anyway. I think it is not wise to spending a lot of effort on secure login without securing the data channel. "Building secure PgSQL" would be an interesting subject of discussion though. Gene Sokolov. From: Mattias Kregert <matti@algonet.se> > Another nice thing with SRP is that it is a mutual authentication. A > third party cannot say "hey i'm the server, please connect to me. Sure, > your password is correct, start sending queries... INSERT? ok, sure, > INSERT 1 1782136. go on..." and steal a lot of data... the SRP client > always knows if it is talking to the real thing. No more third party > attacks... > http://srp.stanford.edu/srp/others.html > > /* m */