Thread: Update encryption options doc for SCRAM-SHA-256

Update encryption options doc for SCRAM-SHA-256

From

PG Doc comments form

Date:

03 February 2018, 02:42:35

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/10/static/encryption-options.html
Description:

Section "18.8. Encryption Options" only mentions MD5 as the password storage
encryption mechanism, although PostgreSQL 10 introduced the superior SHA256
- somebody looking at the docs would get a bad idea of PostgreSQL's
capabilities...

Re: Update encryption options doc for SCRAM-SHA-256

From

Peter Eisentraut

Date:

03 February 2018, 19:30:51

On 2/2/18 18:42, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
> 
> Page: https://www.postgresql.org/docs/10/static/encryption-options.html
> Description:
> 
> Section "18.8. Encryption Options" only mentions MD5 as the password storage
> encryption mechanism, although PostgreSQL 10 introduced the superior SHA256
> - somebody looking at the docs would get a bad idea of PostgreSQL's
> capabilities...

I propose the attached patch.  I have combined the password storage and
password transmission items, because I don't want to go into the details
of how SCRAM works on the wire.

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Attachment

0001-doc-Update-mentions-of-MD5-in-the-documentation.patch

Re: Update encryption options doc for SCRAM-SHA-256

From

Shay Rojansky

Date:

03 February 2018, 20:55:59

Thanks for your attention to this.

I'm definitely not a cryptography expert, but it seems to me that the actual mechanisms (MD5, SHA-256) are more important than the protocols used to negotiate them (SASL, SCRAM). When some security expert unfamiliar with PostgreSQL goes over itss documentation to determine whether it's secure, I think it's important to make sure that the word SHA-256 is actually there.

On Sat, Feb 3, 2018 at 8:30 AM, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:

On 2/2/18 18:42, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/10/static/encryption-options.html
> Description:
>
> Section "18.8. Encryption Options" only mentions MD5 as the password storage
> encryption mechanism, although PostgreSQL 10 introduced the superior SHA256
> - somebody looking at the docs would get a bad idea of PostgreSQL's
> capabilities...

I propose the attached patch. I have combined the password storage and
password transmission items, because I don't want to go into the details
of how SCRAM works on the wire.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services