Re: [Razor-users] Authentication in Core.pm

Sun, 26 Mar 2006 09:45:08 -0800 

Jörg Zieren wrote:
> Hi,
> 
> this is a somewhat technical question as to how Razor handles passwords
> specified on the command line, e.g. "-pass=secret". In authenticate (in
> Core.pm) it says:
> 
>     my ($iv1, $iv2) = xor_key($options->{pass});
>     my ($my_digest) = hmac_sha1($resp{achal}, $iv1, $iv2);
> 
>     %qr = ( a => 'auth', aresp => $my_digest );
>     $queries[0] = makesis(%qr);
> 
> I'm trying to do this in Java, but since I'm not a Perl programmer I
> don't quite understand the above code. I did find out that passwords
> sent to (and generated by) Razor are 64 chars long, which I assume is
> some encoding of a possibly shorter string, e.g. "secret". 

Erm, the string sent to the server, based on the above, is the output of
hmac-sha1. Hmac-sha1 is a VERY standard cryptographic message authentication
code (MAC). It's so standard it's RFC-speced.

HMAC is specified by this RFC:
 http://www.faqs.org/rfcs/rfc2104.html

As is SHA1
http://www.faqs.org/rfcs/rfc3174.html

hmac-sha1 will always generate a 160-bit MAC, no matter what the inputs are.


Is
> $options->{pass} this shorter string, or is it already encoded? I think
> it's the shorter string, because the encoding seems to happen by xor_key
> and hmac_sha1. But how, exactly (in natural language)? What is
> $resp{achal}?
> 

That would appear to be a challenge string issued by the server. It's probably
contained in a response from some earlier part of the conversation with the 
server.

What they appear to be doing is using you password as a key to hmac-sha1, and
generating the MAC for the challenge string sent by the server.

This is more-or-less a SHA1 version of CRAM-MD5

http://en.wikipedia.org/wiki/CRAM-MD5


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Razor-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/razor-users

Reply via email to