[JDEV] New Secure Authentication Mechanism
Sami Haahtinen
ressu at ressukka.net
Sun May 19 07:42:04 CDT 2002
On Sun, May 19, 2002 at 03:29:22AM -0700, Chris Chen wrote:
> Has anyone considered RFC 2945 (SRP implementation) as perhaps an
> alternative form of authentication for Jabber?
>
> I personally think that 0k authentication is a little unwieldy because you
> have to periodically update the counter when it hits zero.
>
> With SRP, password authenticate is transmitted securely without a need for
> certificate-based or public key-based authentication.
Well, after a quick read through the docs, i have to say: i hate it!
i don't know if it would improve the security, propably it would on the
network level, but the idea of storing plaintext passwords scares me.
The problem with secure authentication is that the weak point moves from
one place to another. this way you would be unable to crack one account,
but by gaining access to the host itself, you would get all the
passwords, which i consider to be a huge thing (as many people do use
the same password in many places) but of tracking back with the e-mail
addresses entered for the accounts and you would be able to crack a few
new hosts.
Ugly!
the best method for this is to secure the transfer of the passwords as
well as possible.
Sami
--
-< Sami Haahtinen >-
-[ Is it still a bug, if we have learned to live with it? ]-
-< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >-
More information about the JDev
mailing list