On Monday, July 27, 2015, Alex Peshkoff <peshk...@mail.ru> wrote: > On 07/26/2015 10:00 PM, Ivan Arabadzhiev wrote: > > Personally, I've recently started using (mostly for kicks) things like > > https://en.wikipedia.org/wiki/Scrypt > > https://en.wikipedia.org/wiki/Bcrypt > > https://en.wikipedia.org/wiki/PBKDF2 > > I suppose the option to tune them in the future (or even introduce a > > configurable parameter) is also a plus. > > You may write authentication plugin using that things and use it in FB3, > no changes in the rest of firebird are required for it. > For people who do not need a lot of connections per second this may be > useful. > > > An interesting aspect of this approach is that is an architectural, pre-established denial of service facility. All that is necessary to render such a system unavailable is to hit it with a relatively low number of unsuccessful connection requests. If each takes one hundred milliseconds to compute the hash and reject the request, it would take only 10 * the number of cores capable of authentication to consume 100% of available cpu time.
Virtually all authentication schemes have a substantial computation cost, but designing intentionally designing a scheme exposed to the world to maximize CPU consumption leads the system open to DOS by an attacker -- or an errant program. The ideal authentican scheme has zero cost and astronomic combinatorics so a brute force attack takes more time than the universe has to live until the Big Crunch. This dictates very large quasi-random passwords, but this is what password managers are all about. Scrypt and Bcrypt are, without doubt, fascinating thesis material, but their use in actual computing systems is stupid beyond belief. If you are concerned with deep robustness, bundle a client side password manager and require 32 character passwords. A simple password that an attacker never sees opens the vault. Firebird could be the first RDBMS on the block to have such a client. -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
