[JDEV] Security
Donn Cave
donn at u.washington.edu
Fri Apr 7 18:21:06 CDT 2000
Quoth William Ahern <wahern at jinsa.org>:
...
| I'm using an SRP enabled telnet solution on my unix boxes. I wish this was more
| widely used. It doesn't 'encrypt' the passwd to keep it secure, but uses a
| tested algorithm that allows the server to determine whether or not the client
| has the approrpiate passwd. Nothing is sent, encrypted or otherwise, that could
| compromise the passwd.
I submitted code for MIT Kerberos 5 support a ways back, v0.7 or something
along those lines. That's a similar notion, no password on the wire,
encrypted or otherwise, and supported not only by the MIT release
(http://web.mit.edu/kerberos/www/) but also DCE and now Windows 2000.
Applications can leverage the cryptography for data encryption, but
the real point is purely authentication.
Kerberos authentication allows me to authenticate to a service not only
without sending the password, but more perhaps more significantly here
the application server doesn't ever see my password, it relies on the
Kerberos realm central authority to verify my identity. That's important
if the jabber server might be hosted on a computer whose security isn't
guaranteed.
I have some version 0.9 pre release and finally managed to build it
(does anyone but me ever try to build this software on anything but
Linux?), but have not yet looked at re-integrating the Kerberos code.
Donn Cave, donn at u.washington.edu
More information about the JDev
mailing list