Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7540

The MongoDB challenge response authentication takes place over clear text

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 2.2.0
    • Component/s: Security
    • Labels:
      None
    • Environment:
      RHEL 6.2

      The following process appears to be used for authenticating the client:

      1. Client sends getnonce command to server.
      2. Server replies with a random 16 character nonce.
      3. Client creates a key using the following formula:

      Key = MD5(nonce + username + MD5(username + “:Mongo:” + password))

      4. Client sends the key, nonce, and the username to the server
      5. Server compares the key to check whether or not to authenticate the user.

      The fact that the server uses a randomly generated nonce eliminates
      the risk of a replay attack. However, a malicious user could listen to
      the whole authentication conversation on the wire and attempt to brute force the password. The nonce and the username are known
      so the malicious user would only need to guess the password and
      compare keys.

            Assignee:
            Unassigned Unassigned
            Reporter:
            simon.harvey@citi.com Simon Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: