Re(2): [JDEV] Question about password digest
Iain Shigeoka
iain.shigeoka at messaginglogic.com
Fri Sep 13 11:19:47 CDT 2002
I'll throw in a plug for my book, Instant Messaging in Java: The Jabber
Protocols by Manning (www.manning.com/shigeoka). It contains a detailed
description of 0-k auth including a listing of some public domain Java code
I wrote that implements it.
As Peter says though, it will eventually be replaced by SASL (unless
something major derails the JEP...unlikely). Of course, "eventually" could
be a ways out so if you're doing Jabber software now, you should get 0-k
going... You'll probably need to support it for backward compatibility for
a long time to come in any case.
-iain
On 9/12/02 7:32 PM, "Peter Saint-Andre" <stpeter at jabber.org> wrote:
> zero-k is not well-documented because it's sub-optimal and we'll be moving
> to SASL anyway (this is why it was left out of the IETF drafts), but the
> digest stuff is here:
>
> http://www.jabber.org/ietf/draft-miller-xmpp-im-00.html#auth-iqauth
>
> Peter
>
> --
> Peter Saint-Andre
> Jabber Software Foundation
> http://www.jabber.org/people/stpeter.html
>
> On 13 Sep 2002, Sebastian Paul Avarvarei wrote:
>
>> Hello David,
>>
>> Thank you for your reply. However, like any good answer, it raises more
>> questions :)
>>
>> I'm a little bit at loss here - still newbie in these areas. I'm not sure
>> what's the difference between <digest> and <hash>/zero-k auth. If you could
>> give me a pointer to some docs on the subject, I would appreciate it. What's
>> the method for computing the digest? Isn't it like the "openssl sha1"
>> command?
>>
>> Still, for curiosity, do you have any idea how can I compute the
>> <hash>aa9d89856d398bf06de9863af744d1289c4eaadd</hash> from the example I
>> gave: <stream:stream id='3D809521'>, <password>123</password>? I would like
>> to understand how things work.
>>
>> Thank you!
>>
>> Sebastian
>>
>>
>> David Waite (9/12/2002 7:01 PM):
>>> Sebastian Paul Avarvarei wrote:
>>>
>>> Sebastian,
>>> Try putting the password into a <digest> element rather than a <hash>
>>> element - hash is used for zero-k authentication. Also, make sure you
>>> are not digesting a trailing newline with openssl (I always do this
>>> accidently when using openssl from the shell)
>>>
>>> -David Waite
>>>
>>>> Hello,
>>>>
>>>> I'm writing a PHP site which which will integrate with Jabber (jabberd).
>>>> PHP doesn't have bult-in SHA-1 support (only MD5), and installing mhash is
>>>> (unfortunately) not an option for my current project. And I would really
>>>> like to avoid sending clear-text passwords.
>>>>
>>>> One of the options I looked into is to generate the digest with "openssl
>>>> sha1", but I can't seem to get the correct hash. Session example (from
>>>> Winjab debug):
>>>>
>>>> RECV: <?xml version='1.0'?><stream:stream
>>>> xmlns:stream='http://etherx.jabber.org/streams' id='3D809521'
>>>> xmlns='jabber:client' from='my.srv.com'>
>>>> SENT: <iq type="get" id="JCOM_79"><query
>>>> xmlns="jabber:iq:auth"><username>admin</username></query></iq>
>>>> RECV: <iq type='result' id='JCOM_79'><query
>>>> xmlns='jabber:iq:auth'><username>admin</username><password/><sequence>463</
>>>> sequence><token>3D7DEE68</token><resource/></query></iq>
>>>> SENT: <iq type="set" id="JCOM_80"><query
>>>> xmlns="jabber:iq:auth"><username>admin</username><hash>aa9d89856d398bf06de9
>>>> 863af744d1289c4eaadd</hash><resource>Winjab</resource></query></iq>
>>>>
>>>> Given the above session, which string is used for generating the digest? Is
>>>> it "3D809521123", meaning the id attribute of the session (3D809521) plus
>>>> my password (123)? I tried this and other combinations and I can't get the
>>>> same hash as Winjab's. For my tests, OpenSSL is reading the string from a
>>>> text file, no \n after the string.
>>>>
>>>> If anyone can tell me what I'm doing wrong here or suggest a different
>>>> solution for PHP (such as an SHA-1 algorithm written in PHP), it would be
>>>> greatly appreciated.
>> _______________________________________________
>> jdev mailing list
>> jdev at jabber.org
>> http://mailman.jabber.org/listinfo/jdev
>>
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
More information about the JDev
mailing list