[JDEV] Question about password digest
David Waite
mass at akuma.org
Thu Sep 12 17:00:05 CDT 2002
Sebastian Paul Avarvarei wrote:
>Hello David,
>
>Thank you for your reply. However, like any good answer, it raises more questions :)
>
>I'm a little bit at loss here - still newbie in these areas. I'm not sure what's the difference between <digest> and <hash>/zero-k auth. If you could give me a pointer to some docs on the subject, I would appreciate it. What's the method for computing the digest? Isn't it like the "openssl sha1" command?
>
They are very similar. The main difference is that the zero-knowledge
auth is a key which gets modified each time you authenticate, such that
the server does not actually know what your password is. With
digest-based auth, the server must store a copy of the plaintext password.
digest = hex(SHA1(session_id + password))
Where SHA1 is the standard sha algorithm returning binary data, and
hex() encodes this as lowercase hexidecimal characters. This should be
the output of the "openssl sha1" command.
Zero-knowledge auth is described at
http://docs.jabber.org/draft-proto/html/zerok.html; it is not standard
and probably never will be with the push for SASL.
-David Waite
More information about the JDev
mailing list