On Thursday, August 20, 2015, Alex Peshkoff <peshk...@mail.ru> wrote:
> On 08/18/2015 12:22 AM, Jim Starkey wrote: > > > > Unless it can be guaranteed that SRP verifiers in Firebird are immune > > to compromised > > What do you mean by 'immune to compromised' here? The main goal of using > SRP as a default authentication method in FB3 was to avoid sending plain > passwords over the wire. SRP verifiers are stored by default in separate > security database not accessible remotely at all. The next step of > verifiers protection is keeping them in SYSDBA-only readable table. But > may be I understand 'compromised' wrong here? By compromised I mean that a miscreant hacks into the server and steals the security database. The tradition way to do that is to put a password sniffer in a LAN and wait for somebody to do something stupid. You could argue that anyone who could steal the security database could also steal the production database, which is true. The the potential for real havoc depends on malicious interaction using forged/stolen credentials. You can't protect data files from a bad guy with the root password, but you can limit the damage he can do. Of couse he could also replace the Firebird image with a hacked version, but ... > > > (and daily headlines tell of the large number of government agencies > > that incorrectly though likewise), it is close to folly to use a > > robust authentication algorithm like SRP using human chosen passwords. > > > > Do you want to say that Stanford's paper is wrong? It begins with "The > SRP protocol performs secure remote authentication of _short > human-memorizable_ passwords". Of course it's wrong if the verifiers are compromised. Otherwise, the statement is true. > > Probably all questions asked can be replaced with single - is the goal > of suggestion keeping safe in a case when pairs <login, SRP verifier> > become known to potential attacker? Sure, but history has shown that to be next to impossible. Do rememer that somebody succeeded in stealing RSA's master database of key-cards. From Wikipedia: The breach into RSA's network was carried out by crackers who sent phishing <https://en.m.wikipedia.org/wiki/Phishing> emails to two targeted, small groups of employees of RSA.[15] <https://en.m.wikipedia.org/wiki/RSA_SecurID#cite_note-15> Attached to the email was an Excel file containing malware <https://en.m.wikipedia.org/wiki/Malware>. When an RSA employee opened the Excel file, the malware exploited a vulnerability in Adobe Flash. The exploit <https://en.m.wikipedia.org/wiki/Exploit_(computer_security)> allowed the hackers to use Poison Ivy Remote Administration Tool <https://en.m.wikipedia.org/wiki/Remote_Administration_Tool> to gain control of machines and access servers in RSA's network.[16] <https://en.m.wikipedia.org/wiki/RSA_SecurID#cite_note-16> > > In the final analysis, hardening any computing systems requires that > > the most vulnerable links be addressed first. In Firebird, that is > > the use of human chosen passwords. > > > > In firebird3 - probably yes. In currently released versions sending that > password over the wire in almost opened form seems to be much more > serious vulnerability. > > > Indeed. There is a common belief that sending the hash is more secure. > It isn't as stealing the hash is equivalent to stealing the password. And, > hey, if you have the hash, who needs the password. SRP is absolutely the best way to go. No question at all. -- Jim Starkey
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
