[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Casey Crabb crabbkw at nafai.dyndns.org
Tue May 27 17:12:22 UTC 2003


> Right now the <digest/> method uses the following algorithm:
> 
>   value of <digest/> == sha1(StreamID + password)
> 
> This results in storage of the plaintext password in the server's data
> storage. Both dizzy and hildjj independently came up with the following
> enhancement (let's call it "edigest" for enhanced digest):
> 
>   value of <edigest/> == sha1(StreamID + sha1(password))
> 
> This would result in storage of sha1(password) in data storage, rather
> than the plaintext password.

I don't think this is any more secure than just sha1(StreamID +
password). What happens is that sha1(password) is
password-equivalent.

At some point sha1(password) has to travel over the line; at this
point it can be sniffed. Or, if you have access to the server's spool
you can just read it out of there.

Given that you know sha1(password):
You can't just login using a random client now, but writing a custom
one to use the known sha1(password) is not difficult.



Does this make sense; am I missing something?

--
Casey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20030527/20893fa2/attachment.sig>


More information about the Standards mailing list