[JDEV] New Secure Authentication Mechanism
David Waite
mass at akuma.org
Sun May 19 11:47:52 CDT 2002
Sami Haahtinen wrote:
>On Sun, May 19, 2002 at 03:29:22AM -0700, Chris Chen wrote:
>
>
>>Has anyone considered RFC 2945 (SRP implementation) as perhaps an
>>alternative form of authentication for Jabber?
>>
>>I personally think that 0k authentication is a little unwieldy because you
>>have to periodically update the counter when it hits zero.
>>
>>With SRP, password authenticate is transmitted securely without a need for
>>certificate-based or public key-based authentication.
>>
>>
>
>Well, after a quick read through the docs, i have to say: i hate it!
>
>i don't know if it would improve the security, propably it would on the
>network level, but the idea of storing plaintext passwords scares me.
>The problem with secure authentication is that the weak point moves from
>one place to another. this way you would be unable to crack one account,
>but by gaining access to the host itself, you would get all the
>passwords, which i consider to be a huge thing (as many people do use
>the same password in many places) but of tracking back with the e-mail
>addresses entered for the accounts and you would be able to crack a few
>new hosts.
>
Nah, the server does not need to store the password, it just needs to
store the password verifier as a number, which (assuming standard 'g'
and 'N') is g^(SHA(salt+ SHA(username+ ':' + password)) % N.
-David Waite
More information about the JDev
mailing list