[jdev] Alternate MUC Authentication Mechanisms

Kurt Zeilenga Kurt.Zeilenga at Isode.COM
Wed Oct 20 16:29:29 CST 2010 

On Oct 20, 2010, at 2:13 PM, Alex Milowski wrote:

> On Wed, Oct 20, 2010 at 1:11 AM, Dave Cridland <dave at cridland.net> wrote:
>> On Wed Oct 20 01:47:58 2010, Alex Milowski wrote:
>>> 
>>> On Sun, Oct 17, 2010 at 5:32 AM, Kurt Zeilenga <Kurt.Zeilenga at isode.com>
>>> wrote:
>>> 
>>>> User provides hash:
>>>> 
>>>> <presence
>>>>    from='hag66 at shakespeare.lit/pda'
>>>>    to='darkcave at chat.shakespeare.lit/thirdwitch'>
>>>>  <x xmlns='http://jabber.org/protocol/muc'>
>>>>    <hash algorithm="sha2">hash</hash>
>>>>  </x>
>>>> </presence>
>>>> 
>>>> where hash was the base64 encoded sha2 hash over the concat of
>>>> subscribers' normalized bare jid, " ", the room's normalized bare jid, " ",
>>>> and the shared password.
>>> 
>>> 
>>> Yes, this is something like what I'm after.  I'm not really looking to
>>> have individual identities authenticate.  Instead, I'm looking for a
>>> more secure way to send the shared credentials for the room.
>>> 
>>> 
>> At the risk of somewhat contradicting my colleague...
>> 
>> That's equally (in)secure, since the hash is a plaintext equivalent. That's
>> protecting you from a different user joining, but someone able to spoof the
>> user can just blindly resend the hash. If you sign stanzas, on the other
>> hand, the hash is pointless.
> 
> I think I'm not being clear in what I'm after.  I just want a MUC room
> authentication mechanism that uses challenges.

What's confusing here is whether you want a per room or per subscriber shared secret. 

If the latter, yes, use SASL.   But I don't see much desire to support per subscriber credentials (which are not necessarily tied to their JIDs).

If the former, however, I would have significant reservations.   SASL mechanisms such as SCRAM is commonly used to authenticate the user's identity to an application service, they are not intended to be used to establish who knows a password shared amongst many users.   How would a user know whether to which identity/password, their personal subscriber password or the room's, to use in computing the challenge responses?  If this was going to be done, I'd argue that the identity they should assert is the room's jid (versus any identity string specific to the subscriber).

For the former, I recommend a simple hash scheme.

-- Kurt

> 
> If I were to modify the original suggestion:
> 
> 1. Client joins room
> 
> <presence
>   from='hag66 at shakespeare.lit/pda'
>   to='darkcave at chat.shakespeare.lit/thirdwitch'>
> <x xmlns='http://jabber.org/protocol/muc'/>
> </presence>
> 
> 2. Room returns <not-authorized/> error with supported SASL mechanisms
> 
> <presence
>   from='darkcave at chat.shakespeare.lit'
>   to='hag66 at shakespeare.lit/pda'
>   type='error'>
> <x xmlns='http://jabber.org/protocol/muc'/>
> <error type='auth'>
>   <not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
>   <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
>     <mechanism>SCRAM-SHA-1-PLUS</mechanism>
>     <mechanism>SCRAM-SHA-1</mechanism>
>     <mechanism>PLAIN</mechanism>
>   </mechanisms>
> </error>
> </presence>
> 
> 3. Client selects an authentication mechanism:
> 
> <presence
>   from='hag66 at shakespeare.lit/pda'
>   to='darkcave at chat.shakespeare.lit/thirdwitch'>
> <x xmlns='http://jabber.org/protocol/muc'>
> <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl"
>             mechanism="SCRAM-SHA-1">
>       biwsbj1qdWxpZXQscj1vTXNUQUF3QUFBQU1BQUFBTlAwVEFBQUFBQUJQVTBBQQ==
> </auth>
> </presence>
> 
> 4. Room returns <not-authorized/> error with challenge:
> 
> <presence
>   from='darkcave at chat.shakespeare.lit'
>   to='hag66 at shakespeare.lit/pda'
>   type='error'>
> <x xmlns='http://jabber.org/protocol/muc'/>
> <error type='auth'>
>   <not-authorized xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
>   <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">...</challenge>
> </error>
> </presence>
> 
> 5. The user joins with an appropriate response:
> 
> <presence
>   from='hag66 at shakespeare.lit/pda'
>   to='darkcave at chat.shakespeare.lit/thirdwitch'>
> <x xmlns='http://jabber.org/protocol/muc'>
> <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">...</response>
> </x>
> </presence>
> 
> 
> -- 
> --Alex Milowski
> "The excellence of grammar as a guide is proportional to the paucity of the
> inflexions, i.e. to the degree of analysis effected by the language
> considered."
> 
> Bertrand Russell in a footnote of Principles of Mathematics
> _______________________________________________
> JDev mailing list
> Forum: http://www.jabberforum.org/forumdisplay.php?f=20
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________

More information about the JDev mailing list