Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: implement SCRAM channel binding #74300

Open
knz opened this issue Dec 28, 2021 · 2 comments
Open

security: implement SCRAM channel binding #74300

knz opened this issue Dec 28, 2021 · 2 comments
Labels
A-authentication Pertains to authn subsystems A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-server-and-security DB Server & Security X-anchored-telemetry The issue number is anchored by telemetry references.

Comments

@knz
Copy link
Contributor

knz commented Dec 28, 2021
edited by cockroach-jira-scripts
Loading

This is a derivative from #42519.

pg SQL supports an extension to SCRAM-SHA-256 called "channel binding".

What

Channel binding provides an additional layer of security, which makes the SCRAM handshake immune to MITM attacks, even using a malicious intermediate with a valid TLS certificate.

It achieves this by requiring the SCRAM handshake to include a hash of the TLS fingerprint of the server cert, so that the server can verify that the client is seeing its own TLS cert and not the one from the intermediary.

For more details see the pg sources, backend/libpq/auth-scram.c.

How

  • A server announces that it supports channel binding by announcing SCRAM-SHA-256-PLUS as a supported method alongside SCRAM-SHA-256 in the initial authentication request.
  • A client can then request channel binding by requesting SCRAM-SHA-256-PLUS in the initial password response.
  • During the handshake, the client and server verify the p attribute in the SASL parameters.

Caveats

As of this writing, many client SQL drivers other than pg's own libpq do not support channel binding yet.

Epic CRDB-5349

Jira issue: CRDB-12022
@knz knz added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-sql-pgwire pgwire protocol issues. X-anchored-telemetry The issue number is anchored by telemetry references. A-authentication Pertains to authn subsystems labels Dec 28, 2021
@blathers-crl blathers-crl bot added the T-server-and-security DB Server & Security label Dec 28, 2021
@knz knz mentioned this issue Jan 1, 2022
Merged
This was referenced Jan 11, 2022
Closed
Closed
Merged
@Neustradamus

This comment has been minimized.

Sign in to view
@knz knz mentioned this issue Jan 14, 2022
Merged
@knz knz removed the T-server-and-security DB Server & Security label Apr 30, 2022
@knz
Copy link
Contributor Author

knz commented Apr 30, 2022

cc @jtsiros for tracking and triagee

@exalate-issue-sync exalate-issue-sync bot added the T-server-and-security DB Server & Security label May 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-authentication Pertains to authn subsystems A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-server-and-security DB Server & Security X-anchored-telemetry The issue number is anchored by telemetry references.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Neustradamus @jlinder @knz