Re(2): [JDEV] Question about password digest

Peter Saint-Andre stpeter at jabber.org
Thu Sep 12 21:32:06 CDT 2002 

zero-k is not well-documented because it's sub-optimal and we'll be moving
to SASL anyway (this is why it was left out of the IETF drafts), but the
digest stuff is here:

http://www.jabber.org/ietf/draft-miller-xmpp-im-00.html#auth-iqauth

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.html

On 13 Sep 2002, Sebastian Paul Avarvarei wrote:

> Hello David,
> 
> Thank you for your reply. However, like any good answer, it raises more questions :)
> 
> I'm a little bit at loss here - still newbie in these areas. I'm not sure what's the difference between <digest> and <hash>/zero-k auth. If you could give me a pointer to some docs on the subject, I would appreciate it. What's the method for computing the digest? Isn't it like the "openssl sha1" command?
> 
> Still, for curiosity, do you have any idea how can I compute the <hash>aa9d89856d398bf06de9863af744d1289c4eaadd</hash> from the example I gave: <stream:stream id='3D809521'>, <password>123</password>? I would like to understand how things work.
> 
> Thank you!
> 
> Sebastian
> 
> 
> David Waite  (9/12/2002  7:01 PM):
> >Sebastian Paul Avarvarei wrote:
> >
> >Sebastian,
> >Try putting the password into a <digest> element rather than a <hash> 
> >element - hash is used for zero-k authentication. Also, make sure you 
> >are not digesting a trailing newline with openssl (I always do this 
> >accidently when using openssl from the shell)
> >
> >-David Waite
> >
> >>Hello,
> >>
> >>I'm writing a PHP site which which will integrate with Jabber (jabberd). PHP doesn't have bult-in SHA-1 support (only MD5), and installing mhash is (unfortunately) not an option for my current project. And I would really like to avoid sending clear-text passwords.
> >>
> >>One of the options I looked into is to generate the digest with "openssl sha1", but I can't seem to get the correct hash. Session example (from Winjab debug):
> >>
> >>RECV: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' id='3D809521' xmlns='jabber:client' from='my.srv.com'>
> >>SENT: <iq type="get" id="JCOM_79"><query xmlns="jabber:iq:auth"><username>admin</username></query></iq>
> >>RECV: <iq type='result' id='JCOM_79'><query xmlns='jabber:iq:auth'><username>admin</username><password/><sequence>463</sequence><token>3D7DEE68</token><resource/></query></iq>
> >>SENT: <iq type="set" id="JCOM_80"><query xmlns="jabber:iq:auth"><username>admin</username><hash>aa9d89856d398bf06de9863af744d1289c4eaadd</hash><resource>Winjab</resource></query></iq>
> >>
> >>Given the above session, which string is used for generating the digest? Is it "3D809521123", meaning the id attribute of the session (3D809521) plus my password (123)? I tried this and other combinations and I can't get the same hash as Winjab's. For my tests, OpenSSL is reading the string from a text file, no \n after the string.
> >>
> >>If anyone can tell me what I'm doing wrong here or suggest a different solution for PHP (such as an SHA-1 algorithm written in PHP), it would be greatly appreciated.
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>

More information about the JDev mailing list