[jdev] Alternate MUC Authentication Mechanisms

[Alex Milowski]

On Wed, Oct 20, 2010 at 1:11 AM, Dave Cridland <dave at cridland.net> wrote:
> On Wed Oct 20 01:47:58 2010, Alex Milowski wrote:
>>
>> On Sun, Oct 17, 2010 at 5:32 AM, Kurt Zeilenga <Kurt.Zeilenga at isode.com>
>> wrote:
>>
>> > User provides hash:
>> >
>> > <presence
>> >    from='hag66 at shakespeare.lit/pda'
>> >    to='darkcave at chat.shakespeare.lit/thirdwitch'>
>> >  <x xmlns='http://jabber.org/protocol/muc'>
>> >    <hash algorithm="sha2">hash</hash>
>> >  </x>
>> > </presence>
>> >
>> > where hash was the base64 encoded sha2 hash over the concat of
>> > subscribers' normalized bare jid, " ", the room's normalized bare jid, " ",
>> > and the shared password.
>>
>>
>> Yes, this is something like what I'm after.  I'm not really looking to
>> have individual identities authenticate.  Instead, I'm looking for a
>> more secure way to send the shared credentials for the room.
>>
>>
> At the risk of somewhat contradicting my colleague...
>
> That's equally (in)secure, since the hash is a plaintext equivalent. That's
> protecting you from a different user joining, but someone able to spoof the
> user can just blindly resend the hash. If you sign stanzas, on the other
> hand, the hash is pointless.

I think I'm not being clear in what I'm after.  I just want a MUC room
authentication mechanism that uses challenges.

If I were to modify the original suggestion:

1. Client joins room

<presence
   from='hag66 at shakespeare.lit/pda'
   to='darkcave at chat.shakespeare.lit/thirdwitch'>
 <x xmlns='http://jabber.org/protocol/muc'/>
</presence>

2. Room returns <not-authorized/> error with supported SASL mechanisms

<presence
   from='darkcave at chat.shakespeare.lit'
   to='hag66 at shakespeare.lit/pda'
   type='error'>
 <x xmlns='http://jabber.org/protocol/muc'/>
 <error type='auth'>
   <not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
   <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
     <mechanism>SCRAM-SHA-1-PLUS</mechanism>
     <mechanism>SCRAM-SHA-1</mechanism>
     <mechanism>PLAIN</mechanism>
   </mechanisms>
 </error>
</presence>

3. Client selects an authentication mechanism:

<presence
   from='hag66 at shakespeare.lit/pda'
   to='darkcave at chat.shakespeare.lit/thirdwitch'>
 <x xmlns='http://jabber.org/protocol/muc'>
 <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl"
             mechanism="SCRAM-SHA-1">
       biwsbj1qdWxpZXQscj1vTXNUQUF3QUFBQU1BQUFBTlAwVEFBQUFBQUJQVTBBQQ==
 </auth>
</presence>

4. Room returns <not-authorized/> error with challenge:

<presence
   from='darkcave at chat.shakespeare.lit'
   to='hag66 at shakespeare.lit/pda'
   type='error'>
 <x xmlns='http://jabber.org/protocol/muc'/>
 <error type='auth'>
   <not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
   <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">...</challenge>
 </error>
</presence>

5. The user joins with an appropriate response:

<presence
   from='hag66 at shakespeare.lit/pda'
   to='darkcave at chat.shakespeare.lit/thirdwitch'>
 <x xmlns='http://jabber.org/protocol/muc'>
 <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">...</response>
 </x>
</presence>


-- 
--Alex Milowski
"The excellence of grammar as a guide is proportional to the paucity of the
inflexions, i.e. to the degree of analysis effected by the language
considered."

Bertrand Russell in a footnote of Principles of Mathematics