On 25/06/18 10:02, Dimitry Sibiryakov wrote:
25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote:
Afraid you are wrong here. It helps an attacker to detect what plugin
is actually used by server (for example - srp or srp256) and use that
info to attack particular plugin later.
Does srp have non-theoretical vulnerability?
The problem with Srp is that it uses SHA-1 to generate the Client Proof.
The Client Proof is itself a hash of several items including the shared
secret. If it is possible to mount a brute force attack that allows the
original message to be recovered from the SHA-1 hash then the shared
secret is revealed. Given that this secret is also used for Wire
Encryption then it becomes possible to an attacker to eavesdrop on on
all data exchanged during the session, and which may include a database
encryption key, if this is also exchanged.
NIST has recommended against the use of SHA-1 in such situations because
of the many reports from researchers of SHA-1 collision predictability
and which may be used to speed up brute force attacks. Even if it were
still computationally infeasible to break Srp today, it is probably that
in the next few years it will be totally broken.
The recommendation is thus to move to (e.g.) SHA-256 which is believed
to be much less vulnerable to brute force attacks and the proposed patch
is imply implementing the NIST guidance.
It is also perhaps worth recalling that many organisations will have
policies in place to avoid the use of products that do not comply with
NIST recommendations. Hence, even if the vulnerability is still
theoretical, it does help the acceptability of Firebird if it only
offers SHA-1 based Srp. The purpose of the patch is to offer users the
option of a better Client Proof and to avoid Firebird being rejected
simply for reasons of organisational policy.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
