[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns
crabbkw at nafai.dyndns.org
Tue May 27 17:12:22 UTC 2003
> Right now the <digest/> method uses the following algorithm:
> value of <digest/> == sha1(StreamID + password)
> This results in storage of the plaintext password in the server's data
> storage. Both dizzy and hildjj independently came up with the following
> enhancement (let's call it "edigest" for enhanced digest):
> value of <edigest/> == sha1(StreamID + sha1(password))
> This would result in storage of sha1(password) in data storage, rather
> than the plaintext password.
I don't think this is any more secure than just sha1(StreamID +
password). What happens is that sha1(password) is
At some point sha1(password) has to travel over the line; at this
point it can be sniffed. Or, if you have access to the server's spool
you can just read it out of there.
Given that you know sha1(password):
You can't just login using a random client now, but writing a custom
one to use the known sha1(password) is not difficult.
Does this make sense; am I missing something?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the Standards