On 05/26/13 19:53, Mark Rotteveel wrote: > If I understand it correctly, the new wire encryption of FB 3 uses RC4, > an encryption with known attacks and vulnerabilities. Wouldn't it be > better to research other options?
RC4 is not more than default wire encryption plugin - if you really do not trust it you can easily write your own. On 05/26/13 21:36, Jim Starkey wrote: > I don't know what Firebird is now using for password validation, but I > strongly suggest that somebody look closely at SRP (secure remote > password) to generate session keys. Use of SRP to generate keys for RC4 is default option in FB3. > SRP is immune to all but brute force attacks, doesn't require that a > server store anything which, if compromised, would allow password (or > surrogates) to be computed, and requires a single round trip for > authentication. > In current network protocol client sends login name and SRP public key to server in connect packet. Server's public key and salt are returned to client accept packet. Hash of session key is sent from client to server in attach (or create) packet as a clumplet in DPB. I.e. no additional roundtrip at this step compared with legacy authentication. Alex. PS. Jim - great thanks to you for all your advices re SRP: they helped much. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
