[JDEV] digest and ldap and authentication

David Waite mass at ufl.edu
Sun Jul 30 11:34:40 CDT 2000 

The problem with this method is that if you capture the hash sent from the
client, you are prone to replay attacks, and if you hack the server and get
the hash, you can log in as any client you would like... in other words,
you've just created plaintext authentication with much more random-looking
passwords.

-David Waite

> -----Original Message-----
> From: jdev-admin at jabber.org [mailto:jdev-admin at jabber.org]On Behalf Of
> Jerrad Pierce
> Sent: Sunday, July 30, 2000 11:52 AM
> To: jdev at jabber.org
> Subject: Re: [JDEV] digest and ldap and authentication
>
>
> In reply to your message from the not too distant future: next Sunday AD
> Reply-to: belg4mit at mit.edu
> Return-receipt-to: belg4mit at mit.edu
> Organization: a) Discordia b) none c) what's that?
> Content-Typo: gibberish, charset=ascii-art
> Date: Sun, 30 Jul 2000 11:52:03 EDT
> From: Jerrad Pierce <belg4mit>
>
> None of this really has to be a problem...
>
> Why are you under the impression you must pass the data to LDAP
> in plaintext?
>
> If the client provides the data hashed, then store that hash in LDAP's
> password field... To authenticate, take the hash the client supplies,
> and use the standard mechanism for verifying a password w/ LDAP.
>
> So LDAP doesn't have a direct copy f the password, big deal. If at least
> one of the hashing algorythms is used is sufficiently god, all is well.
> And it could be argued that this is more secure. Since the server
> has no real
> knowledge of the password.
>
> This is kinda the whole point behind OTP (RFC 1938)
>
> Additionally, you don't really need SSL to have encrypted
> connections either.
> A chaining block cipher would work just as well. For examples see
> the HCE::*
> modules for Perl.
>
> --
>                                                   *
> __    *      .
>            \     |     /           .        . .           .  . ((_
>                _____                       .
>    .     .
>           --  /     \  --           .        .      .   +    .   .     _/\
>       oooooooooo.   |               * .       .   .           *
>     / ;M\_ .
>    .oooooooooooo.oo.                  .  .    .       . /\    .
>    /  :IMM\
>   ..oooooooooooo..oo.   Jerrad Pierce              /\  /  \
>   /   ;IIWMM
>   ..oooooooooo.......   209 North Street     +    /  \ /  \  .
>  /   ;IIIIWM
>   ...ooooooooo.......   Randolph, MA 02368        /  \     \
> ___/   :;IIIIIWM
>   ....ooo....o.......                            /    \    \ /
> ::     ;;IIIMI
>    .....ooo.........    http://www.pthbb.org     /    \     \   :
>     :::;IIIM
>      ..ooooooo....      __________________________ ||   ||
> ::.....::::::
> MOTD on Sweetmorn, the 65th of Confusion, in the YOLD 3166:
>
> Your ignorance cramps my conversation.
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>

More information about the JDev mailing list