[jdev] sniffing

[Justin Karneges]

On Wednesday 27 October 2004 01:26 am, Alex Kogan wrote:
> Hello Justin,
>
> > SASL would be even easier (if PHP can do it...).  But yes he should
> > definitely use one of these at least.  No sense in making a new security
> > protocol.
>
>  I do not intend to invent a new security protocol, I will rework XMPP
>  for  my  needs, however, I need some practical advice on implementing
>  either SASL or TSL to prevent sniffing.

Get some libraries. :)

TLS acts as a filter over your entire connection.  When you have data to 
write, you instead write it to your TLS library for encryption first.  When 
data comes from the TCP socket, you pass it to your TLS library to have it 
decrypted.  It acts as a middleman for your socket.  There is an initial 
negotiation phase where optional certificates are exchanged so that both 
parties can identify themselves.  The most common case is for the client to 
not provide one (anonymous), but the server does.  The client will then prove 
who it is later using a separate authentication method over this 
now-encrypted connection.

SASL is similar, but it has two phases.  The first step is authentication, 
whereby the client and server exchange blocks of data constructed by each 
others' SASL libraries.  The applications themselves pass this data across as 
defined by the application protocol (for example, in XMPP, the SASL auth 
blocks are Base64-encoded and placed in an XML element).  Once the login is 
complete, the application then runs all further incoming and outgoing data 
through the SASL library (just like how TLS works) to encrypt the connection.

In XMPP, we generally use TLS for connection encryption, with either SASL or 
some older mechanism for login/password authentication.  The reason for using 
both when SASL should suffice is because SASL is relatively new to the world 
of Jabber.

-Justin