[jdev] Alternate MUC Authentication Mechanisms
Kurt Zeilenga
Kurt.Zeilenga at Isode.COM
Thu Oct 21 18:05:48 CST 2010
On Oct 21, 2010, at 4:32 PM, Alex Milowski wrote:
>
> For many of these mechanisms to work properly, you need a challenge
> from the service (the room service in this case) that contains,
> amongst other things, a nonce from the service. I think the
> additional chatter can't be avoided.
My suggestion, with or without timestamp, avoids it.
> As time can't be synchronized
> across the various systems, you can' avoid having the service send the
> nonce that is then used in the response.
So don't timestamp. The timestamp is only of value if you want to protect against an active attack. Everything you've suggested is subject to a range of active attacks.
> As such, I don't think a
> client-side timestamp helps that much with replay attacks.
But with the jids in the hash, the replay attack requires an active attack to mount.
-- Kurt
>
> --
> --Alex Milowski
> "The excellence of grammar as a guide is proportional to the paucity of the
> inflexions, i.e. to the degree of analysis effected by the language
> considered."
>
> Bertrand Russell in a footnote of Principles of Mathematics
> _______________________________________________
> JDev mailing list
> Forum: http://www.jabberforum.org/forumdisplay.php?f=20
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
More information about the JDev
mailing list