> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Dirk Meyer > Sent: Wednesday, August 20, 2008 11:17 AM > To: XMPP Security > Subject: Re: [Security] TLS Certificates Verification > > Justin Karneges wrote: > > ... > > > Extra points if there'd be a way to authenticate to your XMPP > > account and retrieve your private key with a single password, > > without the XMPP server being able to decrypt the private key. >
Create certificate: Server creates row in DB, salt column is initialized. Sends salt to client. Client performs: KEY = SHA(salt + password) DATA = AES(keyfile, KEY) Client sends DATA to server. Client needs key: Server gets salt from DB. Send salt to client and DATA to client. Client performs: KEY = SHA(salt + password) keyfile = REVAES(keyfile, key) Client now has original keyfile. I don't know how secure that is though. > > > Dirk > > -- > As long as there are ill-defined goals, bizarre bugs, and unrealistic > schedules, there will be Real Programmers willing to jump in and Solve > The Problem, saving the documentation for later.
