Re: Postgres 11 release notes
Bruce Momjian <bruce@momjian.us>
On Wed, May 16, 2018 at 01:22:45PM +0900, Michael Paquier wrote: > On Mon, May 14, 2018 at 08:45:44PM -0400, Bruce Momjian wrote: > > What TLS does is to mix the offered ciphers into the negotiation hash so > > a man-in-the-middle can't pretend it doesn't support something. Could > > we do something like that here? > > I have to admit that I don't quite follow here, the shape of channel > binding data is decided by RFC 5929, so we need to stick with it. OK, let me explain. First, there are two man-in-the-middle types of attacks. The first one allows the two legitimate ends of the TLS connection to negotiate the shared secret between themselves, but injects or changes some of the packets before the shared secret is agreed upon, perhaps to downgrade the strength of the protocol options. TLS prevents this type of man-in-the-middle attack by hashing the shared secret with a hash of all of the TLS negotiation messages previously sent. Each side who knows the shared secret can verify that no messages were changed; see: https://security.stackexchange.com/questions/115284/how-can-an-attacker-downgrade-modify-the-cipher-suites-when-they-are-maced-fre The second type of man-in-the-middle attack is where the man-in-the-middle is negotiating the shared secret separately with the two end points. There is no way to detect this without having some shared secret between the two valid end points. One shared secret is the password hashed with the shared secret, which is what tls-unique uses. The second uses the server certificate hashed with the shared secret. This is now documented in Postgres: In <acronym>SCRAM</acronym> with <literal>tls-unique</literal> channel binding, the shared secret negotiated during the SSL session is mixed into the user-supplied password hash. The shared secret is partly chosen by the server, but not directly transmitted, making it impossible for a fake server to create an SSL connection with the client that has the same shared secret it has with the real server. <acronym>SCRAM</acronym> with <literal>tls-server-end-point</literal> mixes a hash of the server's certificate into the user-supplied password hash. While a fake server can retransmit the real server's certificate, it doesn't have access to the private key matching that certificate, and therefore cannot prove it is the owner, causing SSL connection failure. TLS prevents a man-in-the-middle from injecting invalid packets. However, it does not prevent a man-in-the-middle attack with separeate shared secret negotiation unless certificates are used. The current problem under discussion is the same as that of the man-in-the-middle packet change/injection attack in that the man-in-the-middle can change the options reported as supported by the Postgres server, before the password is sent. The most efficient fix for this would be for the all Postgres protocol messages up to the point where the authentication was chosen to be hashed with the password and sent to the server. In that way, if a man-in-the-middle changed the server-reported supported authentication, the server would identify this and refuse the connection. The problem is that current and past-version PG authentication methods don't have any protocol downgrade protection, and it is hard to add it unless you just remove support for old protocols. I think the only reasonable solution is to allow the client and/or server to force channel binding. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
Commits
-
doc: update PG 11 release notes
- 6eb612fea9d0 12.0 cited
-
Fix misspelled pg_trgm contrib name in PostgreSQL 11 release notes
- 3abc5a67edfd 12.0 landed
-
Doc: clarify release note text about v11's new window function features.
- 510421c45fb4 11.0 landed
- 11a3aeeb5e17 12.0 landed
-
Improve wording of release notes item
- bee6a683a5c3 11.0 landed
-
Fix typos in release notes
- fb6accd27b99 11.0 landed
-
Doc: preliminary list of PG11 major features.
- 4aad161c9a6d 11.0 landed
-
Make numeric power() handle NaNs according to the modern POSIX spec.
- d1fc750b5199 11.0 landed
-
Various improvements of skipping index scan during vacuum technics
- 8e12f4a250d2 11.0 cited
-
Revert back-branch changes in power()'s behavior for NaN inputs.
- f74d83b3034f 10.4 cited
-
Avoid wrong results for power() with NaN input on more platforms.
- 6bdf1303b34b 11.0 cited
-
Avoid wrong results for power() with NaN input on some platforms.
- 61b200e2f582 11.0 cited
-
Skip full index scan during cleanup of B-tree indexes when possible
- 857f9c36cda5 11.0 cited
-
Rewrite the code that applies scan/join targets to paths.
- 11cf92f6e2e1 11.0 cited
-
Postpone generate_gather_paths for topmost scan/join rel.
- 3f90ec8597c3 11.0 cited
-
Add casts from jsonb
- c0cbe00fee6d 11.0 cited
-
Make plpgsql use its DTYPE_REC code paths for composite-type variables.
- 4b93f57999a2 11.0 cited
-
Don't allow VACUUM VERBOSE ANALYZE VERBOSE.
- 921059bd66c7 11.0 cited
-
Pass InitPlan values to workers via Gather (Merge).
- e89a71fb449a 11.0 cited
-
Account for the effect of lossy pages when costing bitmap scans.
- 5edc63bda68a 11.0 cited
-
Allow no-op GiST support functions to be omitted.
- d3a4f89d8a3e 11.0 cited
-
Rearm statement_timeout after each executed query.
- f8e5f156b30e 11.0 cited
-
Push limit through subqueries to underlying sort, where possible.
- 1f6d515a67ec 11.0 cited