[JDEV] Question about password digest

David Waite mass at akuma.org
Thu Sep 12 17:00:05 CDT 2002

Sebastian Paul Avarvarei wrote:

>Hello David,
>Thank you for your reply. However, like any good answer, it raises more questions :)
>I'm a little bit at loss here - still newbie in these areas. I'm not sure what's the difference between <digest> and <hash>/zero-k auth. If you could give me a pointer to some docs on the subject, I would appreciate it. What's the method for computing the digest? Isn't it like the "openssl sha1" command?
They are very similar. The main difference is that the zero-knowledge 
auth is a key which gets modified each time you authenticate, such that 
the server does not actually know what your password is. With 
digest-based auth, the server must store a copy of the plaintext password.

digest = hex(SHA1(session_id + password))

Where SHA1 is the standard sha algorithm returning binary data, and 
hex() encodes this as lowercase hexidecimal characters. This should be 
the output of the "openssl sha1" command.

Zero-knowledge auth is described at 
http://docs.jabber.org/draft-proto/html/zerok.html; it is not standard 
and probably never will be with the push for SASL.

-David Waite

More information about the JDev mailing list