| Subject | Re: [Firebird-general] Security paranoia |
|---|---|
| Author | Lester Caine |
| Post date | 2014-02-07T14:46:53Z |
Mark Rotteveel wrote:
decode a hash can give you enough information to identify the password letter by
letter. SO the fix is to ensure that it takes either a random time, or the same
time which ever letter is being handled. At least I THINK that is what is being
discussed ;) I think that with Firebird it's probably the HASH() performance
that matters? but I'm not sure about hacking the database passwords ...
two workstations which simply provide announcements, links to ticket printers,
and multiple display channels ... but if you sign your sole away in an
enterprise agreement then apparently M$ write the rules :)
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
> On Fri, 07 Feb 2014 12:10:53 +0000, Lester Caine <lester@...>The particular 'problem' PHP is trying to fix is one where the time it takes to
> wrote:
>> PHP is being exercised at the moment by
>> http://en.m.wikipedia.org/wiki/Timing_attack and it's ease of use for
> PHP
>> applications. Since I do that bit on secure sites in an SQL query is it
>> something that is likely to be susceptible to this type of attack? I'm
>> talking
>> about stored data, but the database password itself has just come to
> mind!
>
> Are you sure this is about (cryptographic) timing attacks (which is
> essentially about being able to glean information about the encrypted
> information, cryptographic key etc by the time something takes), or about
> TOCTTU problems (http://en.wikipedia.org/wiki/Time_of_check_to_time_of_use)
> or about time related information gathering (eg login failure takes longer
> when the user does exist, making it possible to find out if a user exists
> or not).
decode a hash can give you enough information to identify the password letter by
letter. SO the fix is to ensure that it takes either a random time, or the same
time which ever letter is being handled. At least I THINK that is what is being
discussed ;) I think that with Firebird it's probably the HASH() performance
that matters? but I'm not sure about hacking the database passwords ...
>> I only ask because I got a grilling from an 'independent securityFirebird, Apache and PHP run on Linux box :) No server functions needed on the
> expert'
>> at one
>> of my customers yesterday. One of his solutions to his identified
> security
>> problems was to replace the two XPHome machine licenses with windows
>> server
>> ones! Apparently you never could use XPHome legally for business use? So
>> I'm not
>> particularly bothered by the nitpicking, but it would be nice to be able
>> to
>> speak with some confidence on these things :)
>
> As far as I know the XP Home license does not allow server use, but I
> don't see how this would be related to security issues.
two workstations which simply provide announcements, links to ticket printers,
and multiple display channels ... but if you sign your sole away in an
enterprise agreement then apparently M$ write the rules :)
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk