[JDEV] 0K Authentication

Chris Chen ckchris at idream.net
Thu Oct 11 18:25:00 CDT 2001

Actually, let me take my previous email back.. Both Jabber and Java use 
SHA1.  So now here's my question:

I also looked at Gabber's code and I can understand most of it (other than 
the most important parts).. mainly,

1) When you hash the password, in java, you'll get back a 20-byte 
array.  This can then be converted into a hex string.  So the question is 
during the next hash (with the token), do you take the hex string, append 
the token to it, and then hash that resultant string?  Or do you actually 
just take 20-byte array, hash that, and then hash the token?  The 
difference here is if the second hashing is hashing the 20-byte array or 
the 40-byte hex representation of the hash.

2) Now after that second hash, you take that hash and run it through the 
number of sequences specified by the sequence.  The question is the same as 
the first one.  Do you take the hex string (40 bytes) representation and 
hash that to obtain the next subsequent hash or do you take the 20-byte 
array and hash that instead?

I'm rather very confused about how gabber or jabber server is doing it 
because (1) I don't read C code that well, and (2) I am not sure if the 
sha_hash() C functions actually converted those 40-byte hex representation 
into a 20-byte array first hash the bytes.


At 07:48 PM 10/10/2001, you wrote:
>Does the digest library your using distinguish between SHA and SHA1?  If 
>so, that could be the problem, otherwise I don't know enough java to 
>compare it to the C the server uses to generate it.  But if you can read 
>C, here's the snippet:
>     /* first, hash the pass */
>     shahash_r(pass,hash);
>     /* next, hash that and the token */
>     shahash_r(spools(m->packet->p,hash,token,m->packet->p),hash);
>     /* we've got hash0, now make as many as the sequence is */
>     for(i = 0; i < sequence; i++, shahash_r(hash,hash));
>I know that gabber and winjab are supporting it, but if it's a problem in 
>the spec I'd be happy to fix it, or if anyone has time to update the .sgml 
>with better examples feel free.
>On the reset/update, I published a new draft at 
>http://core.jabber.org/white/zerokreg.sgml.html and implemented it in 
>current CVS.  If it works out well, I'd like to combine all the zerok work 
>and publish a JEP on it in the near future.
>jdev mailing list
>jdev at jabber.org

PGP at ldap://certserver.pgp.com/

More information about the JDev mailing list