[standards-jig] Re: [Foundation] Last Minute JEP 78 Concerns

Iain Shigeoka iain at jivesoftware.com
Tue May 27 17:26:26 UTC 2003


On Tuesday, May 27, 2003, at 10:00 US/Pacific, Chris Mullins wrote:

> I would like to see the "edigest" such as you describe below replace 
> the
> existing digest.
>
> Passing the plain text passwords around during registration, and them
> storing them on the server in plain text always struck me as dangerous.

If I understand the algorithm correctly, sending the digest password is 
no different than sending the plain text password over the wire as far 
as hacking it goes. intercepting the sha1(password) in this protocol is 
equivalent to intercepting password (or stealing it from persistent 
storage on the server).

The minor benefit is you prevent someone from being able to take the 
hashed password from the database (or off the wire) and being able to 
type it into a standard Jabber client for logging in.

It feels like we're creating the illusion of better security without 
actually enhancing it. Of course, I could be  wrong...

-iain

>
>
> -- 
> Chris Mullins
>
> -----Original Message-----
> From: standards-jig-admin at jabber.org
> [mailto:standards-jig-admin at jabber.org] On Behalf Of Peter Saint-Andre
> Sent: Tuesday, May 27, 2003 8:45 AM
> To: standards-jig at jabber.org
> Subject: Re: [standards-jig] Re: [Foundation] Last Minute JEP 78
> Concerns
>
> On Sat, May 24, 2003 at 12:14:32PM +0200, Jacek Konieczny wrote:
>> On Fri, May 23, 2003 at 04:47:36PM -0500, Peter Saint-Andre wrote:
>>> This document is now standards-track so that we can included it in
> the
>>> Jabber IM Basic protocol suite. This is essentially for the sake of
>>> platforms that won't soon have SASL libraries (if ever), such as
> J2ME.
>>
>> SASL implementation including only the required DIGEST-MD5 mechanism
> is
>> quit easy and I don't see the reason why one should require a special
>> library, even if it is available. The widely used cyrus-sasl library
> is
>> IMHO quite complicated and not very well documented and I would trust
>> more those Jabber implementations that don't use cyrus-sasl, unless
> more
>> than DIGEST-MD5 is needed.
>
> OK. I guess I have two questions:
>
> 1. Is it realistic to expect clients on all platforms to support SASL?
> Remember that I'm not a coder. :-) However, I've been told that it is
> unreasonable to expect some platforms (J2ME is the main one I've heard
> mentioned) to support SASL authentication anytime soon.
>
> 2. If not, do we need to have a more secure method for authentication
> that uses the old jabber:iq:auth protocol -- or will the Council 
> require
> one in order to approve this JEP?
>
> If the answer to #1 is "no", then I think the answer to #2 is "yes".
>
> If we need a more secure jabber:iq:auth method, I propose the
> following...
>
> Right now the <digest/> method uses the following algorithm:
>
>   value of <digest/> == sha1(StreamID + password)
>
> This results in storage of the plaintext password in the server's data
> storage. Both dizzy and hildjj independently came up with the following
> enhancement (let's call it "edigest" for enhanced digest):
>
>   value of <edigest/> == sha1(StreamID + sha1(password))
>
> This would result in storage of sha1(password) in data storage, rather
> than the plaintext password.
>
> We could support this in both jabber:iq:auth and jabber:iq:register so
> that the plaintext password is never sent over the wire or stored by 
> the
> server on the filesystem, in a database, or whatever.
>
> Thoughts?
>
> Peter
>
> -- 
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.php
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> http://mailman.jabber.org/listinfo/standards-jig
>




More information about the Standards mailing list