[JDEV] 0K Authentication

Chris Chen ckchris at idream.net
Thu Oct 11 15:48:39 CDT 2001

 From what I understand, Java uses SHA1 for encryption.  This could 
possibly be the problem.

But if Jabber is using SHA and not SHA1, then I would suggest that Jabber 
be upgraded to using SHA1. There is an unpublished flaw in SHA that makes 
it vulnerable.  SHA1 should be more secure..

What do you think about changing 0k Authentication to using SHA1 instead?


At 07:48 PM 10/10/2001, you wrote:
>Does the digest library your using distinguish between SHA and SHA1?  If 
>so, that could be the problem, otherwise I don't know enough java to 
>compare it to the C the server uses to generate it.  But if you can read 
>C, here's the snippet:
>     /* first, hash the pass */
>     shahash_r(pass,hash);
>     /* next, hash that and the token */
>     shahash_r(spools(m->packet->p,hash,token,m->packet->p),hash);
>     /* we've got hash0, now make as many as the sequence is */
>     for(i = 0; i < sequence; i++, shahash_r(hash,hash));
>I know that gabber and winjab are supporting it, but if it's a problem in 
>the spec I'd be happy to fix it, or if anyone has time to update the .sgml 
>with better examples feel free.
>On the reset/update, I published a new draft at 
>http://core.jabber.org/white/zerokreg.sgml.html and implemented it in 
>current CVS.  If it works out well, I'd like to combine all the zerok work 
>and publish a JEP on it in the near future.
>jdev mailing list
>jdev at jabber.org

PGP at ldap://certserver.pgp.com/

More information about the JDev mailing list