[sip-comm-dev] Let's talk about security


#1

Hi all,

I'm back with a question, wich algorithm is used for enciphering passwords
in sip-communicator. I saw in the
.sip-communicator/sip-communicator.xmlthat the user's passwords are
stored in a secure way but I want to focus on
that.. Can someone tell me wich cryptographic algorithm is it?

Thanks a lot.


#2

Hi,

I guess Base64 is used to encode the passwords. Here's an extract from ProtocolProviderFactory.java:246 :

if(propKey.equals(PASSWORD))
                propValue = new String(Base64.encode(propValue.getBytes()));

I hope this can help you.

Cheers,
Chris.

···

----- Original Message -----
  From: asmouta
  To: dev@sip-communicator.dev.java.net
  Sent: Friday, May 18, 2007 3:23 PM
  Subject: [sip-comm-dev] Let's talk about security

  Hi all,

  I'm back with a question, wich algorithm is used for enciphering passwords in sip-communicator. I saw in the .sip-communicator/sip-communicator.xml that the user's passwords are stored in a secure way but I want to focus on that.. Can someone tell me wich cryptographic algorithm is it?

  Thanks a lot.


#3

Ok, I've tried to encrypt my password using openssl :

openssl enc -base64 -in test

but it wasn't the same result (the last digit differs) so I'm wondering if
the sip-communicator is doing another manipulation..

Thanks for your reply.

···

On 5/18/07, Chris <sipcom@cyberspace7.net> wrote:

Hi,

I guess Base64 is used to encode the passwords. Here's an extract from
ProtocolProviderFactory.java:246 :

if(propKey.equals(PASSWORD))
                propValue = new String(Base64.encode(propValue.getBytes
()));

I hope this can help you.

Cheers,
Chris.

----- Original Message -----
*From:* asmouta <asmouta@gmail.com>
*To:* dev@sip-communicator.dev.java.net
*Sent:* Friday, May 18, 2007 3:23 PM
*Subject:* [sip-comm-dev] Let's talk about security

Hi all,

I'm back with a question, wich algorithm is used for enciphering passwords
in sip-communicator. I saw in the .sip-communicator/sip-communicator.xmlthat the user's passwords are stored in a secure way but I want to focus on
that.. Can someone tell me wich cryptographic algorithm is it?

Thanks a lot.


#4

Please note that base64 is not *encryption*, it's *encoding*. There's
no secret, the info content of the data is identical after encoding.

···

On Fri, 2007-05-18 at 16:41 +0200, asmouta wrote:

Ok, I've tried to encrypt my password using openssl :

openssl enc -base64 -in test

but it wasn't the same result (the last digit differs) so I'm
wondering if the sip-communicator is doing another manipulation..

Thanks for your reply.

On 5/18/07, Chris <sipcom@cyberspace7.net> wrote:
        Hi,
         
        I guess Base64 is used to encode the passwords. Here's an
        extract from ProtocolProviderFactory.java:246 :
         
         if(propKey.equals(PASSWORD))
                        propValue = new
        String(Base64.encode(propValue.getBytes()));
         
        I hope this can help you.
         
        Cheers,
        Chris.
         
                ----- Original Message -----
                From: asmouta
                To: dev@sip-communicator.dev.java.net
                Sent: Friday, May 18, 2007 3:23 PM
                Subject: [sip-comm-dev] Let's talk about security
                
                Hi all,
                
                I'm back with a question, wich algorithm is used for
                enciphering passwords in sip-communicator. I saw in
                the .sip-communicator/sip-communicator.xml that the
                user's passwords are stored in a secure way but I want
                to focus on that.. Can someone tell me wich
                cryptographic algorithm is it?
                
                Thanks a lot.

--

(C) Matthew Rubenstein

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@sip-communicator.dev.java.net
For additional commands, e-mail: dev-help@sip-communicator.dev.java.net


#5

Could you please send the results of the two encodings? I can be mistaking but Base64 splits the string to encode in groups of 6 bits, so if you've got a string whose length is not a multiple of 3 bytes, Base64 will add padding.

In your case, if you're encoding for example "hello", the algorithm will seperate "hel" into 4 groups of 6 bits, and then will have to add padding behind "lo" to encode it. Usually, that would lead to '=' added at the end of the Base64 encoded string (for example in MIME), but some implementations use another caracter to signal that the zero bits added due to padding should not be used to recontruct data.

To sum up, if the only bytes that differ are maximum the two last ones, ignore them, everything is fine, that means that the Base64 algorithm of openssl is slightly different from the one used in SC. If more bytes differ, then maybe a checksum was added at the end of the encoded string (AFAIK, I think there were some implementations using that method to avoid data corruption).

Best regards,
Chris.

···

----- Original Message -----
  From: asmouta
  To: dev@sip-communicator.dev.java.net
  Sent: Friday, May 18, 2007 4:41 PM
  Subject: Re: [sip-comm-dev] Let's talk about security

  Ok, I've tried to encrypt my password using openssl :

  openssl enc -base64 -in test

  but it wasn't the same result (the last digit differs) so I'm wondering if the sip-communicator is doing another manipulation..

  Thanks for your reply.

  On 5/18/07, Chris <sipcom@cyberspace7.net> wrote:
    Hi,

    I guess Base64 is used to encode the passwords. Here's an extract from ProtocolProviderFactory.java:246 :

     if(propKey.equals(PASSWORD))
                    propValue = new String(Base64.encode(propValue.getBytes()));

    I hope this can help you.

    Cheers,
    Chris.

      ----- Original Message -----
      From: asmouta
      To: dev@sip-communicator.dev.java.net
      Sent: Friday, May 18, 2007 3:23 PM
      Subject: [sip-comm-dev] Let's talk about security

      Hi all,

      I'm back with a question, wich algorithm is used for enciphering passwords in sip-communicator. I saw in the .sip-communicator/sip-communicator.xml that the user's passwords are stored in a secure way but I want to focus on that.. Can someone tell me wich cryptographic algorithm is it?

      Thanks a lot.


#6

Hello,

Matthew Rubenstein wrote:

  Please note that base64 is not *encryption*, it's *encoding*. There's
no secret, the info content of the data is identical after encoding.

This is completely true. Passwords are *not* currently encrypted when stored in sip-communicator. We're only mangling them a bit with Base64 to prevent curious eyes from seeing a password while a user is editing a configuration file.

Currently the security of SC stored passwords is supposed to be guaranteed by the operating system and the fact that it would generally refuse unwanted access to files stored in the user home, unless the user has explicitly specified different behavior.

Having said this, it would still be a nice idea to have a more advanced password storage service similar to those offered by Mac OS X or KDE for example, so in case there are any volunteers - don't hesitate to step forward :).

Cheers
Emil

···

On Fri, 2007-05-18 at 16:41 +0200, asmouta wrote:

Ok, I've tried to encrypt my password using openssl :

openssl enc -base64 -in test

but it wasn't the same result (the last digit differs) so I'm
wondering if the sip-communicator is doing another manipulation..

Thanks for your reply.

On 5/18/07, Chris <sipcom@cyberspace7.net> wrote:
        Hi,
                 I guess Base64 is used to encode the passwords. Here's an
        extract from ProtocolProviderFactory.java:246 :
                  if(propKey.equals(PASSWORD))
                        propValue = new
        String(Base64.encode(propValue.getBytes()));
                 I hope this can help you.
                 Cheers,
        Chris.
                         ----- Original Message ----- From: asmouta To: dev@sip-communicator.dev.java.net Sent: Friday, May 18, 2007 3:23 PM
                Subject: [sip-comm-dev] Let's talk about security
                
                                I'm back with a question, wich algorithm is used for
                enciphering passwords in sip-communicator. I saw in
                the .sip-communicator/sip-communicator.xml that the
                user's passwords are stored in a secure way but I want
                to focus on that.. Can someone tell me wich
                cryptographic algorithm is it?
                                Thanks a lot.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@sip-communicator.dev.java.net
For additional commands, e-mail: dev-help@sip-communicator.dev.java.net


#7

Actually it seems to be the cause, here are the two results :

   - with sip-communicator : bmFkaWE=
   - with openssl : bmFkaWEK

The padding is K for openssl instead of = for sip-communicator. To know that
will helps me a lot.

Thanks for your help, Chris and Matthew.

···

On 5/18/07, Chris <sipcom@cyberspace7.net> wrote:

Could you please send the results of the two encodings? I can be
mistaking but Base64 splits the string to encode in groups of 6 bits, so if
you've got a string whose length is not a multiple of 3 bytes, Base64 will
add padding.

In your case, if you're encoding for example "hello", the algorithm will
seperate "hel" into 4 groups of 6 bits, and then will have to add padding
behind "lo" to encode it. Usually, that would lead to '=' added at the end
of the Base64 encoded string (for example in MIME), but some implementations
use another caracter to signal that the zero bits added due to padding
should not be used to recontruct data.

To sum up, if the only bytes that differ are maximum the two last ones,
ignore them, everything is fine, that means that the Base64 algorithm of
openssl is slightly different from the one used in SC. If more bytes differ,
then maybe a checksum was added at the end of the encoded string (AFAIK, I
think there were some implementations using that method to avoid data
corruption).

Best regards,
Chris.

----- Original Message -----
*From:* asmouta <asmouta@gmail.com>
*To:* dev@sip-communicator.dev.java.net
*Sent:* Friday, May 18, 2007 4:41 PM
*Subject:* Re: [sip-comm-dev] Let's talk about security

Ok, I've tried to encrypt my password using openssl :

openssl enc -base64 -in test

but it wasn't the same result (the last digit differs) so I'm wondering if
the sip-communicator is doing another manipulation..

Thanks for your reply.

On 5/18/07, Chris <sipcom@cyberspace7.net> wrote:
>
> Hi,
>
> I guess Base64 is used to encode the passwords. Here's an extract from
> ProtocolProviderFactory.java:246 :
>
> if(propKey.equals(PASSWORD))
> propValue = new String(Base64.encode(propValue.getBytes
> ()));
>
> I hope this can help you.
>
> Cheers,
> Chris.
>
> ----- Original Message -----
> *From:* asmouta <asmouta@gmail.com>
> *To:* dev@sip-communicator.dev.java.net
> *Sent:* Friday, May 18, 2007 3:23 PM
> *Subject:* [sip-comm-dev] Let's talk about security
>
> Hi all,
>
> I'm back with a question, wich algorithm is used for enciphering
> passwords in sip-communicator. I saw in the .sip-communicator/sip-
> communicator.xml that the user's passwords are stored in a secure way
> but I want to focus on that.. Can someone tell me wich cryptographic
> algorithm is it?
>
> Thanks a lot.
>