[jdev] plaintext passwords hack

Peter Saint-Andre stpeter at stpeter.im
Fri Dec 18 09:41:39 CST 2009


On 12/18/09 8:07 AM, Alexander Holler wrote:
> Am 18.12.2009 14:58, schrieb Alexander Holler:
>> Storing a hash for every mechanism will not work. E.g. for DIGEST-MD5
>> the server has to hash the clear-text password with a value the client
>> provides. So the server needs the clear-text password. And if the server
>> is able to get the clear-text password, everyone with the same rights on
>> the server can retrieve the clear-text passwords too.
> 
> The solution to this problem are public key algorithms. So using
> (enforcing) client-side SSL certificates would do the trick.
> 
> Maybe a XEP which defines how a client sends his (public part of the)
> certificate during the registration process would be a practical solution.

Yes, I've been thinking about that for a while, but I haven't had time
to write up a document about it. I think we might want to avoid X.509
(with its dependency on ASN.1 etc.) and instead use simple RSA keys as
in XEP-0189. But I'll give it more thought soon.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://www.jabber.org/jdev/attachments/20091218/5bc43625/attachment.bin>


More information about the JDev mailing list