[JDEV] 0K Authentication
Chris Chen
ckchris at idream.net
Thu Oct 11 15:48:39 CDT 2001
From what I understand, Java uses SHA1 for encryption. This could
possibly be the problem.
But if Jabber is using SHA and not SHA1, then I would suggest that Jabber
be upgraded to using SHA1. There is an unpublished flaw in SHA that makes
it vulnerable. SHA1 should be more secure..
What do you think about changing 0k Authentication to using SHA1 instead?
Chris
At 07:48 PM 10/10/2001, you wrote:
>Does the digest library your using distinguish between SHA and SHA1? If
>so, that could be the problem, otherwise I don't know enough java to
>compare it to the C the server uses to generate it. But if you can read
>C, here's the snippet:
>
> /* first, hash the pass */
> shahash_r(pass,hash);
> /* next, hash that and the token */
> shahash_r(spools(m->packet->p,hash,token,m->packet->p),hash);
> /* we've got hash0, now make as many as the sequence is */
> for(i = 0; i < sequence; i++, shahash_r(hash,hash));
>
>I know that gabber and winjab are supporting it, but if it's a problem in
>the spec I'd be happy to fix it, or if anyone has time to update the .sgml
>with better examples feel free.
>
>On the reset/update, I published a new draft at
>http://core.jabber.org/white/zerokreg.sgml.html and implemented it in
>current CVS. If it works out well, I'd like to combine all the zerok work
>and publish a JEP on it in the near future.
>
>Jer
>
>_______________________________________________
>jdev mailing list
>jdev at jabber.org
>http://mailman.jabber.org/listinfo/jdev
PGP at ldap://certserver.pgp.com/
More information about the JDev
mailing list