List Info

Thread: Let's talk about security
Let's talk about security
user name
 2007-05-18 08:23:45 

  


  

    Hi all, 



I9;m back with a question, wich algorithm is used for enciphering
passwords in sip-communicator. I saw in the
.sip-communicator/sip-communicator.xml that the user's passwords are
stored in a secure way but I want to focus on that.. Can someone tell
me wich cryptographic algorithm is it? 



Thanks a lot.


  

  
  
   
     
    

  

    Re:  Let's talk about security
  


  

     user name

     2007-05-18 09:02:39
  


  

    

  


  

    

Hi,


 


I guess Base64 is used to encode the passwords. 
Here's an extract from ProtocolProviderFactory.java:246 :


 


 if(propKey.equals(PASSWORD))
       ;         
propValue = new String(Base64.encode(propValue.getBytes()));


 


I hope this can help you.


 


Cheers,



Chris.


 



  
----- Original Message ----- 

  
  
  
Sent: Friday, May 18, 2007 3:23 PM

  
Subject: [sip-comm-dev] Let's talk about 
  security


  

Hi all, 

I'm back with a question, wich algorithm is 
  used for enciphering passwords in sip-communicator. I saw in the 
  .sip-communicator/sip-communicator.xml that the user's passwords are stored in 
  a secure way but I want to focus on that.. Can someone tell me wich 
  cryptographic algorithm is it? 

Thanks a 
lot.

  

  
  
   
     
    

  

    Re:  Let's talk about security
  


  

     user name

     2007-05-18 09:41:11
  


  

    

  


  

    Ok, I've tried to encrypt my password using openssl : 




openssl enc -base64  -in test





but it wasn't the same result (the last digit differs) so I'm wondering if the sip-communicator is doing another manipulation.. 



Thanks for your reply.


On 5/18/07, Chris < sipcomcyberspace7.net">sipcomcyberspace7.net> wrote:










Hi,


 


I guess Base64 is used to encode the passwords. 
Here';s an extract from ProtocolProviderFactory.java:246 :


 


 if(propKey.equals(PASSWORD))
 &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp; 
propValue = new String(Base64.encode(propValue.getBytes()));


 


I hope this can help you.


 


Cheers,


Chris.


 



  
----- Original Message ----- 

  
  
  
Sent: Friday, May 18, 2007 3:23 PM


  
Subject: [sip-comm-dev] Let's talk about 
  security


  

Hi all, 

I'm back with a question, wich algorithm is 
  used for enciphering passwords in sip-communicator. I saw in the 
  .sip-communicator/sip-communicator.xml that the user's passwords are stored in 
  a secure way but I want to focus on that.. Can someone tell me wich 
  cryptographic algorithm is it? 

Thanks a 
lot.





  

  
  
   
     
    

  

    Re:  Let's talk about security
  


  

     user name

     2007-05-18 09:46:38
  


  

    
	Please note that base64 is not *encryption*, it's
*encoding*. There's
no secret, the info content of the data is identical after
encoding.


On Fri, 2007-05-18 at 16:41 +0200, asmouta wrote:
> Ok, I've tried to encrypt my password using openssl : 
> 
> openssl enc -base64  -in test
> 
> 
> but it wasn't the same result (the last digit differs)
so I'm
> wondering if the sip-communicator is doing another
manipulation.. 
> 
> Thanks for your reply.
> 
> On 5/18/07, Chris <sipcomcyberspace7.net> wrote:
>         Hi,
>          
>         I guess Base64 is used to encode the passwords.
Here's an
>         extract from ProtocolProviderFactory.java:246
:
>          
>          if(propKey.equals(PASSWORD))
>                         propValue = new
>         String(Base64.encode(propValue.getBytes()));
>          
>         I hope this can help you.
>          
>         Cheers,
>         Chris.
>          
>                 ----- Original Message ----- 
>                 From: asmouta 
>                 To: devsip-communicator.dev.java.net 
>                 Sent: Friday, May 18, 2007 3:23 PM
>                 Subject: [sip-comm-dev] Let's talk
about security
>                 
>                 
>                 Hi all, 
>                 
>                 I'm back with a question, wich
algorithm is used for
>                 enciphering passwords in
sip-communicator. I saw in
>                 the
.sip-communicator/sip-communicator.xml that the
>                 user's passwords are stored in a secure
way but I want
>                 to focus on that.. Can someone tell me
wich
>                 cryptographic algorithm is it? 
>                 
>                 Thanks a lot.
> 
-- 

(C) Matthew Rubenstein

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribesip-communicator.dev.java.net
For additional commands, e-mail: dev-helpsip-communicator.dev.java.net




  


  

    
  

  
  
   
     
    

  

    Re:  Let's talk about security
  


  

     user name

     2007-05-18 10:09:03
  


  

    

  


  

    

Could you please send the results of the two 
encodings? I can be mistaking but Base64 splits the string to encode in groups 
of 6 bits, so if you've got a string whose length is not a multiple of 3 bytes, 
Base64 will add padding.


 


In your case, if you're encoding for example 
"hello", the algorithm will seperate "hel" into 4 groups of 6 bits, and then 
will have to add padding behind "lo" to encode it. Usually, that would lead to 
'=' added at the end of the Base64 encoded string (for example in MIME), 
but ;some implementations use another caracter to signal that the zero bits 
added due to padding should not be used to recontruct data.


 


To sum up, if the only bytes that differ are 
maximum the two last ones, ignore them, everything is fine, that means that the 
Base64&nbsp;algorithm of openssl is slightly different from the one used in SC. 
If more bytes differ, then maybe a checksum was added at the end of the encoded 
string (AFAIK, I think there were some implementations using that method to 
avoid data corruption).


 


Best regards,


Chris.



  
----- Original Message ----- 

  
  
  
Sent: Friday, May 18, 2007 4:41 PM

  
Subject: Re: [sip-comm-dev] Let's talk 
  about security


  

Ok, I've tried to encrypt my password using openssl : 
  

  

openssl enc -base64&nbsp; -in test

but it 
  wasn't the same result (the last digit differs) so I'm wondering if the 
  sip-communicator is doing another manipulation.. 

Thanks for your 
  reply.


  
On 5/18/07, Chris 
  < sipcomcyberspace7.net">sipcomcyberspace7.net> 
  wrote:
  

    

    
Hi,

    
 

    
I guess Base64 is used to encode the passwords. 
    Here's an extract from ProtocolProviderFactory.java:246 :

    
 

    
 if(propKey.equals(PASSWORD))
 &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp; 
    propValue = new String(Base64.encode(propValue.getBytes()));

    
 

    
I hope this can help you.

    
 

    
Cheers,

    
Chris.


    

    
 

    

      
----- 
      Original Message ----- 

      
      
      
Sent: 
      Friday, May 18, 2007 3:23 PM 

      
Subject: 
      [sip-comm-dev] Let's talk about security


      

Hi all, 

I'm back 
      with a question, wich algorithm is used for enciphering passwords in 
      sip-communicator. I saw in the .sip-communicator/sip-communicator.xml that 
      the user's passwords are stored in a secure way but I want to focus on 
      that.. Can someone tell me wich cryptographic algorithm is it? 
      

Thanks a 
  lot.


  

  
  
   
     
    

  

    Re:  Let's talk about security
  


  

     user name

     2007-05-18 10:20:59
  


  

    

  


  

    Actually it seems to be the cause, here are the two results :


    
  
  • with sip-communicator : bmFkaWE=
    • 

  
  • with openssl : bmFkaWEK
    • 



The padding is K for openssl instead of = for sip-communicator. To know that will helps me a lot. 



Thanks for your help, Chris and Matthew.



On 5/18/07, Chris < sipcomcyberspace7.net">sipcomcyberspace7.net> wrote:










Could you please send the results of the two 
encodings? I can be mistaking but Base64 splits the string to encode in groups 
of 6 bits, so if you've got a string whose length is not a multiple of 3 bytes, 
Base64 will add padding.


 


In your case, if you're encoding for example 
"hello", the algorithm will seperate "hel&quot; into 4 groups of 6 bits, and then 
will have to add padding behind "lo&quot; to encode it. Usually, that would lead to 
'=&#39; added at the end of the Base64 encoded string (for example in MIME), 
but ;some implementations use another caracter to signal that the zero bits 
added due to padding should not be used to recontruct data.


 


To sum up, if the only bytes that differ are 
maximum the two last ones, ignore them, everything is fine, that means that the 
Base64&nbsp;algorithm of openssl is slightly different from the one used in SC. 
If more bytes differ, then maybe a checksum was added at the end of the encoded 
string (AFAIK, I think there were some implementations using that method to 
avoid data corruption).


 


Best regards,


Chris.



  
----- Original Message ----- 

  
  

  
Sent: Friday, May 18, 2007 4:41 PM


  
Subject: Re: [sip-comm-dev] Let's talk 
  about security


  

Ok, I've tried to encrypt my password using openssl : 
  

  

openssl enc -base64&nbsp; -in test

but it 
  wasn't the same result (the last digit differs) so I'm wondering if the 
  sip-communicator is doing another manipulation.. 

Thanks for your 
  reply.


  
On 5/18/07, Chris 
  < sipcomcyberspace7.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">sipcomcyberspace7.net> 
  wrote:
  

    

    
Hi,

    
 

    
I guess Base64 is used to encode the passwords. 
    Here's an extract from ProtocolProviderFactory.java:246 :

    
 

    
 if(propKey.equals(PASSWORD))
 &nbsp; &nbsp;   ; &nbsp; &nbsp; &nbsp; &nbsp; 
    propValue = new String(Base64.encode(propValue.getBytes()));

    
 

    
I hope this can help you.

    
 

    
Cheers,

    
Chris.


    

    
 

    

      
----- 
      Original Message ----- 

      
      
      
Sent: 
      Friday, May 18, 2007 3:23 PM 

      
Subject: 
      [sip-comm-dev] Let's talk about security


      

Hi all, 

I'm back 
      with a question, wich algorithm is used for enciphering passwords in 
      sip-communicator. I saw in the .sip-communicator/sip-communicator.xml that 
      the user's passwords are stored in a secure way but I want to focus on 
      that.. Can someone tell me wich cryptographic algorithm is it? 
      

Thanks a 
  lot.






  

  
  
   
     
    

  

    Re:  Let's talk about security
  


  

     user name

     2007-05-18 11:19:18
  


  

    
Hello,

Matthew Rubenstein wrote:
> 	Please note that base64 is not *encryption*, it's
*encoding*. There's
> no secret, the info content of the data is identical
after encoding.

This is completely true. Passwords are *not* currently
encrypted when 
stored in sip-communicator. We're only mangling them a bit
with Base64 
to prevent curious eyes from seeing a password while a user
is editing a 
configuration file.

Currently the security of SC stored passwords is supposed to
be 
guaranteed by the operating system and the fact that it
would generally 
refuse unwanted access to files stored in the user home,
unless the user 
has explicitly specified different behavior.

Having said this, it would still be a nice idea to have a
more advanced 
password storage service similar to those offered by Mac OS
X or KDE for 
example, so in case there are any volunteers - don't
hesitate to step 
forward .

Cheers
Emil


> On Fri, 2007-05-18 at 16:41 +0200, asmouta wrote:
>> Ok, I've tried to encrypt my password using openssl
: 
>>
>> openssl enc -base64  -in test
>>
>>
>> but it wasn't the same result (the last digit
differs) so I'm
>> wondering if the sip-communicator is doing another
manipulation.. 
>>
>> Thanks for your reply.
>>
>> On 5/18/07, Chris <sipcomcyberspace7.net> wrote:
>>         Hi,
>>          
>>         I guess Base64 is used to encode the
passwords. Here's an
>>         extract from
ProtocolProviderFactory.java:246 :
>>          
>>          if(propKey.equals(PASSWORD))
>>                         propValue = new
>>        
String(Base64.encode(propValue.getBytes()));
>>          
>>         I hope this can help you.
>>          
>>         Cheers,
>>         Chris.
>>          
>>                 ----- Original Message ----- 
>>                 From: asmouta 
>>                 To: devsip-communicator.dev.java.net 
>>                 Sent: Friday, May 18, 2007 3:23 PM
>>                 Subject: [sip-comm-dev] Let's talk
about security
>>                 
>>                 
>>                 Hi all, 
>>                 
>>                 I'm back with a question, wich
algorithm is used for
>>                 enciphering passwords in
sip-communicator. I saw in
>>                 the
.sip-communicator/sip-communicator.xml that the
>>                 user's passwords are stored in a
secure way but I want
>>                 to focus on that.. Can someone tell
me wich
>>                 cryptographic algorithm is it? 
>>                 
>>                 Thanks a lot.
>>

------------------------------------------------------------
---------
To unsubscribe, e-mail: dev-unsubscribesip-communicator.dev.java.net
For additional commands, e-mail: dev-helpsip-communicator.dev.java.net




  


  

    
  

  
  
   
     
    






 [1-7]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )