[Standards] Re: [jdev] XEP-0115: Entity Capabilities

Ian Paterson ian.paterson at clientside.co.uk
Wed Jul 4 01:39:24 UTC 2007


Justin Karneges wrote:
> Apologies for not understanding this thread at all and just commenting out of 
> nowhere, but what security is gained by using a hash in the caps protocol?  
> If there is no security gained by using a hash (e.g. everyone has access to 
> the raw data such that they can all calculate the same hash) then what 
> difference does it make which algorithm is used?
>   

What if the raw data is supplied by the attacker?

Imagine Eve wants to poison the caches of clients that haven't yet 
received presence from a brand new release of Psi.

If it is easy to discover collisions for the hash used by Psi, then Eve 
can send Psi's hash to a client and respond to its resulting disco 
request with a false set of features that she generated earlier. The 
false set would probably include a single unrecognizable feature whose 
'var' value could be manipulated to ensure the set has the correct hash 
value, for example:
<feature var='6e4G$h#$vFsgn*F4 at Rie$EGd#$gg73S'/>.

- Ian




More information about the Standards mailing list