Subj : Re: Implementing MPWD
To   : mark lewis
From : Ozz Nixon
Date : Thu Jun 21 2018 13:10:53

 
ml> the question is fine in here but i don't know if there are any binkd
ml> maintainers in here... they're more easily found in BINKD and apparently
ml> hang out more in BINKD.RU or some such...
 
I will check that one out ... thanks!
 
ml> there was something interesting discovered several months ago, though...
ml> in the CRAM-MD5 implementations, apparently only 32byte checksum strings
ml> are allowed (or used?) even though the spec allows for up to 64bytes
ml> (IIRC)... i scanned three years of binkd logs and all
ml> CRAM-MD5-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx strings are of the same
 
Not one to argue with a European on the hash algorithms, but, I just 
implemented CRAM-MD5 and CRAM-SHA1. Understanding what I coded, the only flaw I 
saw was when the "secret" is > 64 characters, then it switches to a 16bit 
algorithm, and with CRAM you double process the "secret", so I guess they mean 
if someone uses a 65 character or longer password for handshaking using BinkP 
they have reduced the accuracy down to 32bit - but, I do not know of any sysop 
who is willing to type in a 65+ character handshake.
 
Ozz 

--- dBridge & Rhenium
 * Origin: RVA Fido Support - ExchangeBBS.com, ModernPascal.com (1:275/362)

.