Hi Thijs

Thanks for your response. I see this wiki page seems to be the source of 
http://stackoverflow.com/questions/29298346/xmpp-sasl-scram-sha1-authentication/29299946#29299946

Here is my console output:

[1] pry(main)> clearpass = "p4ssw0rd" 
> => "p4ssw0rd"
> [2] pry(main)> iter = 4096
> => 4096
> [3] pry(main)> clearsalt = "312527ce-e134-4694-b6bc-203707ca5922"
> => "312527ce-e134-4694-b6bc-203707ca5922"
> [4] pry(main)> saltr1 = Base64.encode64(clearsalt)
> => "MzEyNTI3Y2UtZTEzNC00Njk0LWI2YmMtMjAzNzA3Y2E1OTIy\n"
> [5] pry(main)> saltr2 = Base64.encode64(saltr1)
> => 
> "TXpFeU5USTNZMlV0WlRFek5DMDBOamswTFdJMlltTXRNakF6TnpBM1kyRTFP\nVEl5Cg==\n"
> [6] pry(main)> digest = OpenSSL::Digest::SHA1.new
> => #<OpenSSL::Digest::SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709>
> [7] pry(main)> len = digest.digest_length
> => 20
> [8] pry(main)> digest.hexdigest
> => "da39a3ee5e6b4b0d3255bfef95601890afd80709"
> [9] pry(main)> clientkey = OpenSSL::PKCS5.pbkdf2_hmac(clearpass, saltr2, 
> 4096, len, digest)
> => "-U\xF1n\x88\xCA\xE3>Q\xA3\x86v\x97\x9Eh\x1E\x87\xD2\b\xF1"
> [10] pry(main)> instance = OpenSSL::HMAC.new(clientkey, 
> OpenSSL::Digest.new('sha1'))
> => 998267511f3d122664208d940d2f7a0abfc7db28
> [11] pry(main)> data = "Client Key"
> => "Client Key"
> [12] pry(main)> instance.update(data)
> => 9d7f402d056a42398d1b30937759c205a7d5b7fd
> [13] pry(main)> stored_key = Digest::SHA1.digest instance.to_s 

=> "_\xF6\xBB\v_\x88\xA9\x88\xD6\x06\xE7\xDD?\xE0c\xACz\xB9-X"
>
 [14] pry(main)> Digest::SHA1.digest instance.digest
> => "\xE8\x02\x8E\x85\xF5[\xB6\xBF\x1E\x8B\xCBm\x1C\x05+\xE3\xCE\xE8P\x06"
> [15] pry(main)> Digest::SHA1.digest instance.hexdigest
> => "_\xF6\xBB\v_\x88\xA9\x88\xD6\x06\xE7\xDD?\xE0c\xACz\xB9-X"
> [16] pry(main)> Digest::SHA1.hexdigest instance2.hexdigest
> => "5ff6bb0b5f88a988d606e7dd3fe063ac7ab92d58"
>


Salt is base64'ed two times, right?
Does password also get base64'ed?

Thanks for your help & cheers
Patrick


Am Montag, 19. Oktober 2015 21:58:46 UTC+2 schrieb Thijs Alkemade:
>
> On 19 okt. 2015, at 13:40, Thijs Alkemade <m...@thijsalkema.de 
> <javascript:>> wrote: 
> > 
> >> 
> >> On 19 okt. 2015, at 08:26, Pa He <pat.he...@gmail.com <javascript:>> 
> wrote: 
> >> 
> >> I'm having problems implementing the internal_hashed procedures in 
> ruby. My setup is the following: 
> >> 
> >> I have a public-facing prosody 9.3 which does not allow inband 
> registration. I'm writing a Ruby on Rails App 
> >> which should insert the new users into the postgres DB I setup for 
> prosody account storage, but I 
> >> have trouble computing the stored_key and server_key. 
> >> 
> >> AFAIK: 
> >> iterations is hardcoded to be 4096 for new users, but can be any 
> integer. 
> >> UUIDs are used as salt. 
> >> stored_key should be the following: SHA1( clientkey ) 
> >> where clientkey is HMAC (slatedpw, "Client Key") 
> >> and saltedpw is a PBKDF2-SHA1(userspassword, salt and iterations) 
> >> serverkey is the same as clientkey, but HMACed with "Server Key" and 
> without the last SHA1 operation. 
> >> 
> >> Am I missing something here? Because I implemented this procedure with 
> Rails' integrated OpenSSL 
> >> module and I am not getting the same hashes as I get when using in-band 
> registration. 
> >> 
> >> Cheers 
> >> Patrick 
> > 
> > Hi Patrick, 
> > 
> > Could you post some example outputs? Start with a password salt and i, 
> and 
> > post the values of saltedpw, clientkey and storedkey you compute. 
> > 
> > (Alternatively you could look at [1], where I've posted all of the 
> > intermediate values the client computes.) 
> > 
> > Regards, 
> > Thijs 
>
> Where: 
>
> [1] = http://wiki.xmpp.org/web/SASLandSCRAM-SHA-1 
>
> Thijs 
>

-- 
You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to