Search Postgresql Archives

Fwd: How to allow users to log on only from my application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



<korryd@xxxxxxxxxxxxxxxx> wrote:

Say that your application offers a way for each user to set/change his own password.

When I (using your application) change my password, you could combine my new password with a secret value and then send the result to the PG server (so now the PG server thinks that my password is my_password+your_secret).

This is a special case of (2,2) secret sharing:

  http://en.wikipedia.org/wiki/Secret_sharing

Here the secret is the actual password, a+b, shared into two parts, a and b. The above scheme suffers from the problem that the user now knows quite a lot about the secret. If this is an issue, there are more sophisticated combining schemes that give the user no advantage over someone who knows neither half of the secret.

- John D. Burger
  MITRE





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux