Insecurity in MD5 authentication (again)

I'm sorry to bring this up again. From the archives I found that the
current md5 authentication scheme of postgres was designed in 2001. I
found a debate about it's security from 2002.
http://archives.postgresql.org/pgsql-hackers/2001-06/msg00511.php
http://archives.postgresql.org/pgsql-hackers/2001-06/msg00952.php
http://archives.postgresql.org/pgsql-general/2002-06/msg00484.php

My problem is this: we have ODBC users working from home, so they cannot
use SSL unless we buy the commercial drivers. We decided that encrypting
the data is not required, but we do need to strictly protect access to
our database.

With the current MD5 authentication, an eavesdropper can obtain the
random salt and matching MD5 response. When enough logins are
eavesdropped on, it becomes feasible for the eavesdropper to connect to
the server until a salt is offered for which it knows the valid MD5
response.

To prevent this attack, the salt should be communicated using a
Diffie-Hellman key exchange. This way, the salt will be known by the
server and the client, but not by an eavesdropper. See
http://www.rsasecurity.com/rsalabs/node.asp?id=2248

I realize this would require changes on both the client and server side,
but it would up the security of the authentication mechanism one notch.

Please Cc me in any replies, since I am not on this list.

--
Richard van den Berg, CISSP

Trust Factory B.V. | http://www.trust-factory.com/
Bazarstraat 44a | Phone: +31 70 3620684
NL-2518AK The Hague | Fax : +31 70 3603009
The Netherlands |