[jdev] SASL question on RFC 3920

Jens Mikkelsen gyldenskjold at mail.dk
Thu Jan 6 15:42:23 CST 2005 

On Thu, 2005-01-06 at 19:04, Justin Karneges wrote:
[...]
> > What kind of encryption? Is it just the authentication thats being
> > encrypted? Is it just that digest and zeroK it refers to?
> 
> The entire channel is secured.  It is not just during authentication.
> 
> The encryption used is dependent on the mechanism.  DIGEST-MD5 offers a 
> security layer, as do some others.  PLAIN does not.  The strength of the 
> encryption is determined by a universal "security strength factor" (or SSF) 
> that is negotiated by the mechanism during authentication.
> 
> Have a look at Cyrus SASL to see how it is done.  The application passes a 
> minimum and maximum SSF value to the library during initialization.  Once the 
> app has authenticated, it feeds all incoming and outgoing socket data through 
> the library (in XMPP, this starts right after the last '>' character, as 
> described in xmpp-core, section 6.3).

Hmmm. Maybe I am totaly confused. But it seems that it is not standard
to use sasl. Allthough I use digest authentication with jabber.org when
I log on, there doesn't seem to be initiated a SASL even though it is a
MUST in the RFC. The RFC says that these steps should be made, but when
I sniff the data, nothing like this comes up:

...
 Step 3: Server informs client of available authentication mechanisms:

   <stream:features>
     <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
       <mechanism>DIGEST-MD5</mechanism>
       <mechanism>PLAIN</mechanism>
     </mechanisms>
   </stream:features>
  Step 4: Client selects an authentication mechanism:

   <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
         mechanism='DIGEST-MD5'/>

   Step 5: Server sends a [BASE64] encoded challenge to client:

   <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
   cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgi
   LGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==
   </challenge>

   The decoded challenge is:

   realm="somerealm",nonce="OA6MG9tEQGm2hh",\
   qop="auth",charset=utf-8,algorithm=md5-sess
...


> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mail.jabber.org/mailman/listinfo/jdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://www.jabber.org/jdev/attachments/20050106/14b5e29a/attachment-0002.pgp>

More information about the JDev mailing list