问题
How many iterations does the scram-sha-256 setting use in PostgreSQL 10?
The docs just say
Setting this parameter to scram-sha-256 will encrypt the password with SCRAM-SHA-256.
The build log reads.
Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas) This proves better security than the existing md5 negotiation and storage method.
回答1:
It's a compile-time variable in scram-common.h known as SCRAM_ITERATIONS_DEFAULT. Currently it's set to 4096.
That's substantially under the specs "rule of thumb" which is cited in Nov 2015 as being 15,000. It's currently the lowest value for permissible iterations. From RFC-7677
The strength of this mechanism is dependent in part on the hash iteration-count, as denoted by "i" in [RFC5802]. As a rule of thumb, the hash iteration-count should be such that a modern machine will take 0.1 seconds to perform the complete algorithm; however, this is unlikely to be practical on mobile devices and other relatively low- performance systems. At the time this was written, the rule of thumb gives around 15,000 iterations required; however, a hash iteration- count of 4096 takes around 0.5 seconds on current mobile handsets. This computational cost can be avoided by caching the ClientKey (assuming the Salt and hash iteration-count is stable). Therefore, the recommendation of this specification is that the hash iteration- count SHOULD be at least 4096, but careful consideration ought to be given to using a significantly higher value, particularly where mobile use is less important.
来源:https://stackoverflow.com/questions/43667908/how-many-iterations-does-the-scram-sha-256-setting-use-in-postgresql-10