On 04-12-2020 17:15, Tony Whyman wrote:
Does the same problem exist with Firebird SRP and SHA-256. This uses a
different codebase to SHA-1, so it would be interesting to know whether
the problem is specific to SHA-1. It also begs the question: if you are
serious about SRP security then why are
On 04-12-2020 17:03, Dimitry Sibiryakov wrote:
04.12.2020 16:20, Mark Rotteveel wrote:
After closer inspection, I found the issue. The SHA-1 hash of DAVIDS
is 00AD377F8297F04FD83DFDBF48AABF316850862F. Seeing that leading zero,
I guessed that might be part of the problem. After stripping the
On 04/12/2020 16:03, Dimitry Sibiryakov wrote:
04.12.2020 16:20, Mark Rotteveel wrote:
After closer inspection, I found the issue. The SHA-1 hash of DAVIDS
is 00AD377F8297F04FD83DFDBF48AABF316850862F. Seeing that leading
zero, I guessed that might be part of the problem. After stripping
the
04.12.2020 16:20, Mark Rotteveel wrote:
After closer inspection, I found the issue. The SHA-1 hash of DAVIDS is
00AD377F8297F04FD83DFDBF48AABF316850862F. Seeing that leading zero, I guessed that might
be part of the problem. After stripping the leading zero from the user hash in Jaybird,
the
On 04-12-2020 15:55, Adriano dos Santos Fernandes wrote:
On 04/12/2020 11:48, Mark Rotteveel wrote:
This behaviour is a security issue, it leaks existence or
non-existence of the user.
Is it a security issue in any website that if I try to create an account
and it says the user already
On 04/12/2020 12:06, Tony Whyman wrote:
>
> On 04/12/2020 14:55, Adriano dos Santos Fernandes wrote:
>> On 04/12/2020 11:48, Mark Rotteveel wrote:
>>>
>>> This behaviour is a security issue, it leaks existence or
>>> non-existence of the user.
>>>
>> Is it a security issue in any website that if I
On 04-12-2020 14:38, Mark Rotteveel wrote:
A bug was reported today against Jaybird
(http://tracker.firebirdsql.org/browse/JDBC-635), that certain Srp users
cannot authenticate against Firebird 3 when using Jaybird. The issue is
not reproducible with fbclient.
This obviously means that there
On 04/12/2020 14:55, Adriano dos Santos Fernandes wrote:
On 04/12/2020 11:48, Mark Rotteveel wrote:
This behaviour is a security issue, it leaks existence or
non-existence of the user.
Is it a security issue in any website that if I try to create an account
and it says the user already
On 04/12/2020 11:48, Mark Rotteveel wrote:
>
>
> This behaviour is a security issue, it leaks existence or
> non-existence of the user.
>
Is it a security issue in any website that if I try to create an account
and it says the user already exist?
Adriano
Firebird-Devel mailing list, web
On 04-12-2020 15:10, Dimitry Sibiryakov wrote:
04.12.2020 14:38, Mark Rotteveel wrote:
This obviously means that there is something wrong in Jaybird's SRP
implementation, but so far I have no clue as to what.
SRP allows definitely distinguish cases of unknown user and wrong
password. You
On 04-12-2020 14:58, Alex Peshkoff via Firebird-devel wrote:
On 12/4/20 4:38 PM, Mark Rotteveel wrote:
A bug was reported today against Jaybird
(http://tracker.firebirdsql.org/browse/JDBC-635), that certain Srp
users cannot authenticate against Firebird 3 when using Jaybird. The
issue is not
On 04-12-2020 14:51, Tony Whyman wrote:
Is this a character case problem? A quick look at the Firebird SRP code
suggests that the username/password hash is generated using the actual
character string without any transformation to all upper case.
That is not correct, the username will be
04.12.2020 14:38, Mark Rotteveel wrote:
This obviously means that there is something wrong in Jaybird's SRP implementation, but so
far I have no clue as to what.
SRP allows definitely distinguish cases of unknown user and wrong password. You could
start from finding out which part of
Is this a character case problem? A quick look at the Firebird SRP code
suggests that the username/password hash is generated using the actual
character string without any transformation to all upper case.
On 04/12/2020 13:38, Mark Rotteveel wrote:
A bug was reported today against Jaybird
On 12/4/20 4:38 PM, Mark Rotteveel wrote:
A bug was reported today against Jaybird
(http://tracker.firebirdsql.org/browse/JDBC-635), that certain Srp
users cannot authenticate against Firebird 3 when using Jaybird. The
issue is not reproducible with fbclient.
This obviously means that there
A bug was reported today against Jaybird
(http://tracker.firebirdsql.org/browse/JDBC-635), that certain Srp users
cannot authenticate against Firebird 3 when using Jaybird. The issue is
not reproducible with fbclient.
This obviously means that there is something wrong in Jaybird's SRP
16 matches
Mail list logo
