Firebird Documentation IndexFirebird 3.0.6 Release NotesSecurity → New Authentication Method in Firebird 3
Firebird Home Firebird Home Prev: Database EncryptionFirebird Documentation IndexUp: SecurityNext: "Over the wire" Connection Encryption

New Authentication Method in Firebird 3

Alex Peshkov

SSL/TLS Support
Increased Password Length
The Authentication Plug-in
Multiple User Managers
V. 3.0.4 SRP Security Patch

All of the code related to authentication is plug-in-enabled. Though Firebird performs the generic work, like extracting authentication data from a network message or putting it into such messages as appropriate, all the activity related to calculating hashes, storing data in databases or elsewhere, using specific prime numbers and so on is done by plug-ins.

Firebird 3 has new method of user authentication implemented as a default plugin: secure remote password (SRP) protocol. Quoting from Wikipedia:

The SRP protocol creates a large private key shared between the two parties in a manner similar to Diffie-Hellman key exchange, then verifies to both parties that the two keys are identical and that both sides have the user's password. In cases where encrypted communications as well as authentication are required, the SRP protocol is more secure than the alternative SSH protocol and faster than using Diffie-Hellman key exchange with signed messages. It is also independent of third parties, unlike Kerberos.

SSH needs key pre-exchange between server and client when placing a public key on the server to make it work. SRP does not need that. All a client needs are login and password. All exchange happens when the connection is established.

Moreover, SRP is resistant to man-in-the-middle attacks.

Important

Use of the new authentication method is not compatible with old security databases and passwords from them. However, an upgrade procedure is available to migrate users from a Firebird 2.x security2.fdb database. For instructions, see Upgrading a v.2.x Security Database in the Compatibility chapter.

Use of an old security database can be supported with the Legacy_Auth authentication plug-in, but this kills the security benefits of Firebird 3.

The Firebird 3 client is built to make it possible to talk to old servers with the default configuration.

SSL/TLS Support

CORE-3251

So, the answer to the question Does Firebird use SSL/TLS for password validation? is yes and no. The No answer comes because, by default, SSL is not used. That is due to a minor licensing incompatibility between Firebird and OpenSSL, the most popular SSL implementation.

The Yes applies because anyone is free to write an authentication plug-in that uses SSL and TLS.

Increased Password Length

CORE-1898.

Implementation of SRP in our plugin has increased the password length from 8 bytes to 20 or more. Because of the use of SHA1 for hashes, maximum security is provided for passwords up to 20 characters in length. Longer passwords can be used without restriction but there is a remote possibility of hash collisions between passwords that differ beyond the 20th byte. Just be aware of the possibility that any password longer than 20 characters password could share the same hash with some shorter password so, theoretically, they could be attacked using brute force.

A custom SRP plug-in could be built quite easily, using a hash algorithm that would guarantee unique hashes for longer passwords.

Tip

The increased length limit means the default SYSDBA password in Windows and MacOS installations is the full 'masterkey' string (9 chars), no longer 'masterke' (8 chars) as in older versions!

Support for the LegacyHash and Authentication parameters in firebird.conf has been dropped. Authentication is overtaken by an AuthServer parameter in firebird.conf or elsewhere.

The Authentication Plug-in

The Authentication plug-in comprises three parts:

  • Client—prepares data at the client to be sent to server on client

  • Server—validates password for correctness

  • User Manager—adds, modifies and deletes users on the server. It is not needed if some external authentication method, such as Windows trusted authentication, is used.

All three parts are actually separate plug-ins which should be configured separately in firebird.conf. Let's look at an example of configuring a server to accept connections from old clients. The default setting are:

  AuthServer = Srp, Win_Sspi
  UserManager = Srp
      

To enable access from old clients, AuthServer needs to be changed:

  AuthServer = Srp, Win_Sspi, Legacy_Auth
      

If we also want to manage the list of users in the old format we must add:

  UserManager = Legacy_UserManager
      

Multiple User Managers

Multiple user managers can be enumerated in firebird.conf. The first member of the list of user managers is the default. Selecting from sec$users would produce something like the following:

SQL> select SEC$USER_NAME, SEC$PLUGIN from sec$users;

SEC$USER_NAME                   SEC$PLUGIN
=============================== ===============================
SYSDBA                          Legacy_UserManager
SYSDBA                          Srp
QA_USER1                        Srp
QA_USER2                        Srp
QA_USER3                        Srp
QA_USER4                        Srp
QA_USER5                        Srp
GUEST                           Srp
SHUT1                           Srp
SHUT2                           Srp
QATEST                          Srp
      

There might well be two users named SYSDBA in such a list, because each user manager has its own SYSDBA.

Notes

  • All user management commands can have the USING PLUGIN clause, whose purpose is to enable selection of a particular UserManager plug-in from the list in firebird.conf.

  • The default user manager in firebird.conf is Srp. If you need to manage legacy logins, set it to Legacy_UserManager, e.g., UserManager = Legacy_UserManager,Srp.

  • UserManager can be configured at database level, in databases.conf.

V. 3.0.4 SRP Security Patch

Alex Peshkov

Tony Whyman

Review of the Firebird SRP implementation in terms of the NIST guidance on the use of SHA-1 appears to indicate that most uses of SHA-1 continue to be permitted except for its use in generating the client proof.

The SHA-256 message digest may be used instead of SHA-1 for generating the client proof. For compatibility, SHA-1 remains the default for Firebird 3 but SHA-256 is available as an alternative from v.3.0.4 onward, until the decision is taken to make it the default.

Plug-Ins

Separate AuthServer and AuthClient plugins are available for each supported message digest, with the following names:

Srp SHA-1 Client Proof
Srp256 SHA-256 Client Proof

Both client and server must have an SRP authentication plug-in in common for authentication of a user's password to succeed.

Configuration Details

TheSRP UserManager is still called Srp and it is unchanged. Neither the user manager nor the security database is affected by the choice of message digest used to compute the client proof.

The default configuration file entries in firebird.conf for AuthServer and AuthClient are now:

AuthServer = Srp (All platforms)
AuthClient = Srp, Srp256, Legacy_Auth (POSIX clients)
AuthClient = Srp, Srp256, Win_Sspi, Legacy_Auth (Windows clients)

With these settings, a Firebird client can use Srp to authenticate using either SHA-256 or SHA-1 to compute the client proof and is thus backwards-compatible with Firebird 3 servers.

Beware!

A deployment where both clients and server support both the legacy Srp (using SHA-1) and the Srp256 SHA-2 authentication plug-ins should be avoided, as it might enable an attacker to disrupt the Srp256 authentication, thereby forcing Firebird to use the weaker Srp SHA-1 client proof without the user being aware of it.

For a more detailed description, please read the document /doc/README.SecureRemotePassword.html in your Firebird 3.0.4 installation.

NIST Compliance

If you need NIST compliance and/or higher security you can set

             AuthServer = Srp256
           

This will break compatibility with pre-3.0.4 clients.

Prev: Database EncryptionFirebird Documentation IndexUp: SecurityNext: "Over the wire" Connection Encryption
Firebird Documentation IndexFirebird 3.0.6 Release NotesSecurity → New Authentication Method in Firebird 3