On 04-12-2020 17:15, Tony Whyman wrote:
Does the same problem exist with Firebird SRP and SHA-256. This uses a different codebase to SHA-1, so it would be interesting to know whether the problem is specific to SHA-1. It also begs the question: if you are serious about SRP security then why are you still using SHA-1?
The problem occurred with all Srp plugins, and that is because Srp and all SrpNNN plugins use SHA-1 internally (iirc, switching each plugin to SHA-NNN entirely would require separate user managers for each plugin), only the client proof hash itself uses the SHA-NNN hash. The problem here isn't with the client proof hash itself, but with a component that goes into the client proof hash.
Of course, maybe we could always consider adding a SrpV2, or something that also internally uses SHA-256 (or better).
Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel