PostgreSQL 10 中的 scram-sha-256 设置使用多少次迭代?
How many iterations does the scram-sha-256 setting use in PostgreSQL 10?
在 PostgreSQL 10 中,scram-sha-256 设置使用多少次迭代?
Setting this parameter to scram-sha-256 will encrypt the password with SCRAM-SHA-256.
Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas) This proves better security than the existing md5 negotiation and storage method.
它是 scram-common.h
中的编译时变量,称为 SCRAM_ITERATIONS_DEFAULT
。目前设置为 4096。
这基本上符合 2015 年 11 月引用的规格“经验法则”为 15,000。它目前是允许迭代的最低值。来自 RFC-7677
The strength of this mechanism is dependent in part on the hash
iteration-count, as denoted by "i" in [RFC5802]. As a rule of thumb,
the hash iteration-count should be such that a modern machine will
take 0.1 seconds to perform the complete algorithm; however, this is
unlikely to be practical on mobile devices and other relatively low-
performance systems. At the time this was written, the rule of thumb
gives around 15,000 iterations required; however, a hash iteration-
count of 4096 takes around 0.5 seconds on current mobile handsets.
This computational cost can be avoided by caching the ClientKey
(assuming the Salt and hash iteration-count is stable). Therefore,
the recommendation of this specification is that the hash iteration-
count SHOULD be at least 4096, but careful consideration ought to be
given to using a significantly higher value, particularly where
mobile use is less important.
在 PostgreSQL 10 中,scram-sha-256 设置使用多少次迭代?
Setting this parameter to scram-sha-256 will encrypt the password with SCRAM-SHA-256.
Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas) This proves better security than the existing md5 negotiation and storage method.
它是 scram-common.h
中的编译时变量,称为 SCRAM_ITERATIONS_DEFAULT
。目前设置为 4096。
这基本上符合 2015 年 11 月引用的规格“经验法则”为 15,000。它目前是允许迭代的最低值。来自 RFC-7677
The strength of this mechanism is dependent in part on the hash iteration-count, as denoted by "i" in [RFC5802]. As a rule of thumb, the hash iteration-count should be such that a modern machine will take 0.1 seconds to perform the complete algorithm; however, this is unlikely to be practical on mobile devices and other relatively low- performance systems. At the time this was written, the rule of thumb gives around 15,000 iterations required; however, a hash iteration- count of 4096 takes around 0.5 seconds on current mobile handsets. This computational cost can be avoided by caching the ClientKey (assuming the Salt and hash iteration-count is stable). Therefore, the recommendation of this specification is that the hash iteration- count SHOULD be at least 4096, but careful consideration ought to be given to using a significantly higher value, particularly where mobile use is less important.