SHA 1 enchryption with XIFF

Adrian1 · May 24, 2006, 10:46am

Hello,

I’'ve noticed the XIFF library has an extension that handles SHA1. Has anyone used it ?

How do I enable it ? I’‘ve looked through the code but I can’'t tell which functions to call.

Thanks.

Romain_Sahut · June 4, 2006, 12:23pm

SHA1 works!

It has been made available in XIFFIAN since last beta version.

in fact, I just uncommented the SHA1 encryption (it works, I really don’'t know why it was commented)

in XMPPConnection.as @ line 792 (beginAuthentication_result function))[/b]

//if (resultAuth.isDigest()) {

//responseAuth.digest = AuthExtension.computeDigest(sessionID, password);

//} else if (resultAuth.isPassword()) {

responseAuth.password = password;

//} else {

//// Connection method not supported

//dispatchError( “feature-not-implemented”, “Feature Not Implemented”, “cancel”, 501 );

//return;

//}[/i]

becomes:[/b]

if (resultAuth.isDigest()) {

responseAuth.digest = AuthExtension.computeDigest(sessionID, password);

} else if (resultAuth.isPassword()) {

responseAuth.password = password;

} else {

//// Connection method not supported

dispatchError( “feature-not-implemented”, “Feature Not Implemented”, “cancel”, 501 );

return;

}[/i]

I think it should be enough to auto enable SHA1!

Adrian1 · June 4, 2006, 12:27pm

works, indeed.

Thanks

cyberscribe · June 9, 2006, 8:29pm

Is this considered as secure as MD5-DIGEST? (Yes, I know MD5 is less secure than SHA1 – but MD5-DIGEST uses a nonce, and SHA1 does not seem to …)

cyberscribe · June 9, 2006, 8:59pm

OK, looks like it uses the session id as part of the digest. So, as long as the session ID has enough entropy, it should be reasonably secure – i.e. someone couldn’'t just send the same digest value to log in as you, and reversing the one-way hash is supposed to be near impossible. I guess this could be considered almost as secure as TLS…

Nick_Bilyk · August 17, 2008, 6:04pm

I’m using XIFF 3.0.0 beta 1, I didn’t see any svn location for XIFF, so if there’s more recent versions out there, I don’t know about them.

So the version where there was commented out code for the encryption is definitely a different version than I have, but what I needed to do to get login encryption working was to modify XMPPConnection at line 844:

added:

responseAuth.digest = AuthExtension.computeDigest(sessionID, password);