?

Log in

No account? Create an account
January 19th, 2004 - LiveJournal Development [entries|archive|friends|userinfo]
LiveJournal Development

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

January 19th, 2004

LJ Code with Oracle? [Jan. 19th, 2004|03:19 pm]
LiveJournal Development

lj_dev

[jesuschrist2k1]
Hey, everyone. I'm wondering if anyone has used LJ code with Oracle instead of MySQL. If not, would it be a big challenge to write some code that would make it compatible?
link31 comments|post comment

A secure password protocol for LiveJournal [Jan. 19th, 2004|11:57 pm]
LiveJournal Development

lj_dev

[ciphergoth]
LiveJournal wants to offer clients a way of logging in without presenting their plaintext password, for security reasons.

The existing proposal is a challenge-response protocol. It has a lot of problems, but in some ways the most serious problem is at the core: passwords are so low entropy that CR protocols don't do a lot to protect them, because someone who sniffs the session can run an offline guessing attack, and few people are good at generating passwords that resist such attacks.

Why muck about? Cryptographically, this is caveman stuff, and we have much better technology now: real secure password protocols. Probably the best known is SRP, which is available worldwide, royalty-free:

http://srp.stanford.edu/

The only tweak I can see that might be needed would be running the password through MD5 before handing it to SRP for backwards compatibility reasons. Apart from that, we can use SRP exactly as specified, for a genuine leap in security over the existing protocol.
link10 comments|post comment

navigation
[ viewing | January 19th, 2004 ]
[ go | Previous Day|Next Day ]