[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Tijl Houtbeckers thoutbeckers at splendo.com
Mon Jul 17 21:14:33 UTC 2006


On Mon, 17 Jul 2006 22:57:50 +0200, Dave Cridland <dave at cridland.net>  
wrote:

> On Mon Jul 17 21:21:48 2006, Peter Saint-Andre wrote:
>> Chris Mullins wrote:
>> > Piotr Szturmaj Wrote:
>> > >> All I want is storing hashes on disk instead of >> plain text  
>> passwords (even encrypted). > > That's always been an issue with the  
>> legacy authentication types - the
>> > need to store the real password. Storing a hash + salt is certainly
>> > preferable. Well, I've been chatting with Piotr via IM, and his  
>> concern does seem to
>> be that the password gets stored on the client machine in plaintext. He
>> thinks that Jabber systems will be more secure if the credentials are
>> stored as a hash on the client machine. That way, even if a hacker gains
>> control of my machine, they'll have only the hash -- which makes it
>> trivial for the hacker to log into my Jabber account of course, but at
>> least the hacker won't be able to discover the plaintext (which I might
>> have used for other accounts or whatever).
>
> This is precisely the purpose of DIGEST-MD5, and I do precisely this for  
> my SASL implementation which handles clients for a number of SASL-based  
> services. Of course, the hash can be brute-force cracked, eventually.  
> Tijl seemed to suggest that you needed to keep the nonce the same, or  
> something, but you don't - that only affects the final hash, not the  
> intermediate.

Ah yes you can store the { username-value, ":", realm-value, ":", passwd  
}. In fact that what I've been saying more or less, but then I browsed the  
RFC a bit too quickly and gave up on that again. (it was 34 celcius / 93  
fahrenheit today here :P)

So, like it was said before SASL can take care of all your needs  
(including replay). If you want to use in-band registration without  
exposing the plain text password you should have the client send this  
intermidiate hash to the server over TLS during registration. Keep in mind  
that storing this hash unprotected is still a risk, you can still log in  
into the realm. But at least there's more benefit from doing the hashing  
and the salting (you protect everything outside the realm, and not just  
cause you're using obscure methods).

Thanks Dave!



More information about the Standards mailing list