[jadmin] jabberd14 'crypt' password storage in postgressql
Norman Rasmussen
norman at rasmussen.co.za
Mon Jun 11 13:19:25 CDT 2007
On 6/11/07, Martel Valgoerad <martel at post.pl> wrote:
>
> Why? Couldn't the hash be calculated on a client side? So only this hash
> would
> be sent over the wire and a server would just need to compare two hashes -
> one
> sent to it and the other stored in it's internal DB. What I believe was
> the
> Oliver's original meaning.
>
And then all it requires is a slightly modified client (i.e. that doesn't
hash what is entered) to transmit the known hash. You haven't proved the
client knows the password, just that the hash is known. You need to start
adding nonces to prove the client knows the hash, and once you do that the
server needs the clear-text password again.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.jabber.org/pipermail/jadmin/attachments/20070611/b7acf953/attachment.html
More information about the JAdmin
mailing list