[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Google
  Web www.spinics.net

Re: [GNU Crypto] Passwords Immutable?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Casey Marshall wrote:
>    - It's our convention to not use redundant modifiers and
>      declarations; this includes `throws' clauses for unchecked
>      exceptions (although, they should be described in a `@throws'
>      entry in the javadocs, if it is a public or protected method).

Also noticed 'final' was removed from Password method "input only"
parameters -- this seems incongruent with the style guidelines -- was
intentional?

>    - I put Password into the package gnu.crypto.auth. I'm certain that
>      this class will be useful in other places. The next thing to do
>      is replace char arrays with Password wherever else appropriate.

There's a little "gottcha" relative to PlainClient, the plain text
password implementation.  Most of the work is done in EvaluateChallenge
(id, and password init, as well as evaluation).  All user data is
appended to a single StringBuffer, converted to String, and returned as
a utf-8 byte array using String's getBytes.

Couple things come to mind -- rework, and generalize the Password class
idea, to something along the lines of a "SecureData" class, and add an
append method to it.  Or could just add an append method to the Password
class.  Only difference between the two really, is metaphorical.

Could handwave, with the observation that plain text ain't any too
secure anyway :), but CramMD5Client does something similar with String
data, where again, an append method would take care of it.

I don't mean to dog you with dicisions -- just avoiding doing something
that's totally out left field relative to what you were thinking, or I
might have overlooked something.

Bryan

>
> Cheers,
>
> - --
> Casey Marshall || csm@xxxxxxx
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
>
> iD8DBQFAlBOXgAuWMgRGsWsRAgtsAJwIHf57svCdMp0sTUbWg5N4OOGRBgCbBhv7
> bCqtWwSEY/Z/uiW9IZzF8Gc=
> =DjJW
> -----END PGP SIGNATURE-----

- --
And people flock around the poet and say:  'Sing again soon' - that is,
'May new sufferings torment your soul but your lips be fashioned as
before, for the cry would only frighten us, but the music, that is
blissful.' - (Soren Kierkegaard - Either/Or)

http://www.wecs.com/content.htm

This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=pick-a-tag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32) - GPGrelay v0.94

iD8DBQFAlwfM8CguVNZ0FHARAvWnAJ438zHhxWKr309Y9uARBcEyMDKJfQCdEgrm
4qcAtOUGf3EiII8kN39TjkE=
=08Pd
-----END PGP SIGNATURE-----


_______________________________________________
gnu-crypto-discuss mailing list
gnu-crypto-discuss@xxxxxxx
http://mail.nongnu.org/mailman/listinfo/gnu-crypto-discuss

[Home]     [Gnu Classpath]     [Linux Kernel]     [Linux Cryptography]     [Fedora]     [Fedora Directory]     [Red Hat Development]     [Red Hat 9 Bible]     [Fedora Bible]     [Red Hat 9]     [Network Security Reading]

  Powered by Linux