On 11/06/2015 06:26 PM, Jim Starkey wrote: > A client side key really needs to be sent over an encrypted connection, > but establishing a session key is more than a little tricky. SSL, for > examples, uses public key encryption to pass random session keys where > the public key is on a certificate signed by recognized authority. > Requiring certificates for Firebird would not, I fear, be administrator > friendly. But without robust authentication of the server, handshake > schemes are vulnerable to man in the middle attacks. > > But speaking of man in the middle attacks (and thoroughly off-topic), > did everyone see the papers on the successful attack on chip-based > smart/credit cards? The bad guys inserted a programmable chip between > the contacts on the card and the chip on a stolen card. When the > terminal asked the card to validate a PIN, the chip-in-the-middle always > said yup. Smart crooks (semi-smart -- they used all their stolen cards > at the same stores), really dumb security design.
In our case (with default set of plugins) SRP's session key is used as a key for RC4. ------------------------------------------------------------------------------ Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
