PostgreSQL 10中的scram-sha-256设置使用了多少次迭代? [英] How many iterations does the scram-sha-256 setting use in PostgreSQL 10?
问题描述
在PostgreSQL 10中scram-sha-256设置使用了多少次迭代?
How many iterations does the scram-sha-256 setting use in PostgreSQL 10?
将此参数设置为scram-sha-256将使用SCRAM-SHA-256加密密码.
Setting this parameter to scram-sha-256 will encrypt the password with SCRAM-SHA-256.
为密码协商和存储添加了SCRAM-SHA-256支持(Michael Paquier,Heikki Linnakangas),这比现有的md5协商和存储方法具有更好的安全性.
Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas) This proves better security than the existing md5 negotiation and storage method.
推荐答案
It's a compile-time variable in scram-common.h known as SCRAM_ITERATIONS_DEFAULT. Currently it's set to 4096.
这在很大程度上符合经验法则"规范,该规范在2015年11月被引用为15,000.当前是允许迭代的最低值.来自 RFC-7677
That's substantially under the specs "rule of thumb" which is cited in Nov 2015 as being 15,000. It's currently the lowest value for permissible iterations. From RFC-7677
此机制的强度部分取决于哈希 迭代计数,如[RFC5802]中的"i"所示.根据经验, 哈希迭代计数应使现代机器能够 花费0.1秒执行完整的算法;但是,这是 不太可能在移动设备和其他相对较低的 绩效系统.在撰写本文时,经验法则 进行大约15,000次迭代;但是,哈希迭代- 当前手机的4096计数大约需要0.5秒. 通过缓存ClientKey可以避免这种计算成本 (假设Salt和hash迭代计数是稳定的). 因此, 本规范的建议是,哈希迭代- 计数应至少为4096,但应谨慎考虑 赋予使用明显更高的值,尤其是在 移动使用的重要性降低.
The strength of this mechanism is dependent in part on the hash iteration-count, as denoted by "i" in [RFC5802]. As a rule of thumb, the hash iteration-count should be such that a modern machine will take 0.1 seconds to perform the complete algorithm; however, this is unlikely to be practical on mobile devices and other relatively low- performance systems. At the time this was written, the rule of thumb gives around 15,000 iterations required; however, a hash iteration- count of 4096 takes around 0.5 seconds on current mobile handsets. This computational cost can be avoided by caching the ClientKey (assuming the Salt and hash iteration-count is stable). Therefore, the recommendation of this specification is that the hash iteration- count SHOULD be at least 4096, but careful consideration ought to be given to using a significantly higher value, particularly where mobile use is less important.
这篇关于PostgreSQL 10中的scram-sha-256设置使用了多少次迭代?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
