[JDEV] Security

Dave Smith dave at jabber.org
Fri Apr 7 15:53:40 CDT 2000


On Fri, Apr 07, 2000 at 04:37:47PM -0400, William Ahern wrote:
> 
> Maybe I'm misunderstanding you, but just sending something like an md5 sum
> over the wire is equivalent to sending plaintext, since either way a sniffer
> can see what it needs.
> 
The key to sending digests is that the md5 sum is calculated based off a one-time session key assigned by the server. So, when the client connects to a server, a one-time session seed (i.e. random number) is sent to the client. The client uses this seed and the plaintext password as input into the md5 summation. Hence, the md5 sum sent to the server is secure against replay attacks since it is calculated on a one-time basis.

D.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20000407/571331cc/attachment-0002.pgp>


More information about the JDev mailing list