[Security] TLS Certificates Verification

Jonathan Dickinson jonathanD at k2.com
Wed Aug 20 04:38:02 CDT 2008


> -----Original Message-----
> From: security-bounces at xmpp.org [mailto:security-bounces at xmpp.org] On
> Behalf Of Dirk Meyer
> Sent: Wednesday, August 20, 2008 11:17 AM
> To: XMPP Security
> Subject: Re: [Security] TLS Certificates Verification
>
> Justin Karneges wrote:
> > ...
>
> > Extra points if there'd be a way to authenticate to your XMPP
> > account and retrieve your private key with a single password,
> > without the XMPP server being able to decrypt the private key.
>

Create certificate:
Server creates row in DB, salt column is initialized.
Sends salt to client.
Client performs:
KEY = SHA(salt + password)
DATA = AES(keyfile, KEY)
Client sends DATA to server.

Client needs key:
Server gets salt from DB.
Send salt to client and DATA to client.
Client performs:
KEY = SHA(salt + password)
keyfile = REVAES(keyfile, key)
Client now has original keyfile.

I don't know how secure that is though.

>
>
> Dirk
>
> --
> As long as there are ill-defined goals, bizarre bugs, and unrealistic
> schedules, there will be Real Programmers willing to jump in and Solve
> The Problem, saving the documentation for later.


More information about the Security mailing list