[jadmin] Re: jabberd14 'crypt' password storage in postgressql
Simon Wilkinson
simon at sxw.org.uk
Thu Jun 14 07:28:31 CDT 2007
On 14 Jun 2007, at 13:12, Oliver Block wrote:
> Am Donnerstag, 14. Juni 2007 09:54 schrieb Simon Wilkinson:
>> I think you've got a serious misunderstanding of how modern
>> authentication protocols work.
>
> What do you mean in particular?
Virtually all authentication protocols require the client to prove
knowledge of a secret to the server. For an authentication protocol
to be secure, this secret can't pass across the wire in cleartext. In
most protocols this requires the client and server to both carry out
certain operations on the secret, and exchange the results of those
operations across the network. In order to perform these operations,
the server requires access to the plaintext version of the secret.
The fundamental fact is that for the vast majority of today's
authentication technologies, including ones that are mandatory to
implement in XMPP, the server will require access to the plaintext
version of the secret. I'd highly recommend going back and reading
Norman Ramussen's reply again, which goes into these issues in great
detail. If you're still unclear, then Bruce Schneier's "Applied
Cryptography" is a highly recommended read.
Simon.
More information about the JAdmin
mailing list