[JDEV] Single Sign on and stuff

Max Metral Max.Metral at PeoplepcHQ.com
Mon Oct 8 16:58:05 CDT 2001

If I gain physical access to your machine, cookies are the least of your
problems.  Cookies in themselves don't make replay attacks more or less
possible.  How people use them is a different story.

-----Original Message-----
From: Jonathan Siegle [mailto:jsiegle at psu.edu]
Sent: Friday, October 05, 2001 2:57 PM
To: jdev at jabber.org
Subject: Re: [JDEV] Single Sign on and stuff

>    6. Once returned to the original site A properly authenticated, Site
>       A can set a cookie containing the username, so from now on when
>       visiting that site you are automatically logged in.

I have huge problems using cookies for authentication purposes of any
kind. Why couldn't I capture your cookie and be you? If I got into your
machine, what would stop me from using your cookies? 

> _Arbitrary services_
> We will use the example of a jabber aware FTP server and client for this
> section.
>    1. User connects to jabber-aware FTP server using jabber aware client
>    2. User gives client username and credentials (password, certificate,
>       whatever)

I capture the credentials.

>    3. User sends username to FTP server.
>    4. FTP server sends message to jabber server via either an IQ or SOAP
>       asking for "service" authentication
>    5. Server responds with a token (random number), which the FTP server
>       then sends to the client
I capture the token.

>    6. FTP client hashes credentials with random number and sends to ftp
>       server, which forwards this hash to the jabberd
I hash the creds with the number.

>    7. Jabber server checks hashed credentials, and if clear sends
>       message back to FTP server announcing this fact, or otherwise
>       information about what went wrong.

>    8. User is now authenticated.
I am now that user. woohoo! 

I was going to type in RFC1510 here. Here is a link 
http://www.ietf.org/rfc/rfc1510.txt . 

The big concept I want to drive home here is that no passwords or other 
relevant pieces of information that could be stolen to impersonate
someone are sent over the wire.  We really should consider that when
creating an authentication protocol. Tell me why I am wrong.


jdev mailing list
jdev at jabber.org

More information about the JDev mailing list