Re: [Razor-users] Authentication in Core.pm

Sun, 26 Mar 2006 13:14:04 -0800 

Jörg Zieren wrote:
> Jörg Zieren wrote:
>> I'm trying to do this in Java, but since I'm not a Perl programmer I
>> don't quite understand the above code. I did find out that passwords
>> sent to (and generated by) Razor are 64 chars long, which I assume is
>> some encoding of a possibly shorter string, e.g. "secret". Is
>> $options->{pass} this shorter string, or is it already encoded? I
>> think it's the shorter string, because the encoding seems to happen by
>> xor_key and hmac_sha1. But how, exactly (in natural language)? What is
>> $resp{achal}?
> 
> Maybe I wasn't quite clear here. My question was this: I specify a
> password of, say, 10 chars. This, however, is "processed" to yield a
> "longer" string (and I guess this is where I wasn't too specific from a
> cryptographic point of view :-). 

Yes.. It is processed to be longer.. In fact, It is always processed into a
160-bit HMAC-SHA1 result. That 160 bit result is always 20 characters long, no
matter how big or small the password. However, on the wire, it might be larger
still if they base64 or ascii-hex encode it.


> As I found out by now, that's done by
> xor_key, which returns two strings of 64 chars length. 

Yes, those are the ipad and opad in the HMAC documentation.



After that we
> have strings of a fixed length of 64 chars, which are then processed
> together with the challenge.

Yes, which is HMAC-SHA1.

Please, read my previous message on this subject. It's got all the materials you
need.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Razor-users mailing list
Razor-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/razor-users

Reply via email to