On 5/27/2013 2:53 AM, Alex Peshkoff wrote: > On 05/26/13 19:53, Mark Rotteveel wrote: > >> If I understand it correctly, the new wire encryption of FB 3 uses RC4, >> an encryption with known attacks and vulnerabilities. Wouldn't it be >> better to research other options? > RC4 is not more than default wire encryption plugin - if you really do > not trust it you can easily write your own. > > > On 05/26/13 21:36, Jim Starkey wrote: > >> I don't know what Firebird is now using for password validation, but I >> strongly suggest that somebody look closely at SRP (secure remote >> password) to generate session keys. > Use of SRP to generate keys for RC4 is default option in FB3. > >> SRP is immune to all but brute force attacks, doesn't require that a >> server store anything which, if compromised, would allow password (or >> surrogates) to be computed, and requires a single round trip for >> authentication. >> > In current network protocol client sends login name and SRP public key > to server in connect packet. Server's public key and salt are returned > to client accept packet. Hash of session key is sent from client to > server in attach (or create) packet as a clumplet in DPB. I.e. no > additional roundtrip at this step compared with legacy authentication. > >
Is the attach package encrypted with the session key? If so, the hash of the session key isn't necessary. If not, the exchange is susceptible to a man-in-the-middle attack with a buggered DPB. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
