[JDEV] Single Sign on and stuff

Jonathan Siegle jsiegle at psu.edu
Fri Oct 5 13:57:24 CDT 2001

>    6. Once returned to the original site A properly authenticated, Site
>       A can set a cookie containing the username, so from now on when
>       visiting that site you are automatically logged in.

I have huge problems using cookies for authentication purposes of any
kind. Why couldn't I capture your cookie and be you? If I got into your
machine, what would stop me from using your cookies? 

> _Arbitrary services_
> We will use the example of a jabber aware FTP server and client for this
> section.
>    1. User connects to jabber-aware FTP server using jabber aware client
>    2. User gives client username and credentials (password, certificate,
>       whatever)

I capture the credentials.

>    3. User sends username to FTP server.
>    4. FTP server sends message to jabber server via either an IQ or SOAP
>       asking for "service" authentication
>    5. Server responds with a token (random number), which the FTP server
>       then sends to the client
I capture the token.

>    6. FTP client hashes credentials with random number and sends to ftp
>       server, which forwards this hash to the jabberd
I hash the creds with the number.

>    7. Jabber server checks hashed credentials, and if clear sends
>       message back to FTP server announcing this fact, or otherwise
>       information about what went wrong.

>    8. User is now authenticated.
I am now that user. woohoo! 

I was going to type in RFC1510 here. Here is a link 
http://www.ietf.org/rfc/rfc1510.txt . 

The big concept I want to drive home here is that no passwords or other 
relevant pieces of information that could be stolen to impersonate
someone are sent over the wire.  We really should consider that when
creating an authentication protocol. Tell me why I am wrong.


More information about the JDev mailing list