gnu-crypto-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU Crypto] Passwords Immutable?

From: Bryan Hoover
Subject: Re: [GNU Crypto] Passwords Immutable?
Date: Wed, 21 Apr 2004 03:42:24 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Casey Marshall wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Another idea: how about making passwords expirable? After a timeout
> passes, the object could be automatically destroyed.
>
> This could be a standard interface; an abstract class,
> ExpirableObject, that implements destroyable and, on creation, is
> registered with a timer that will call destroy() once the timeout
> elapses.

Yeah, good point.  I wasn't sure where to put the destructor call.  As
it stands, the destructor is called when the mechanism is reset, in
resetMechanism.

I assume the objective is to cover for any situation in which
resetMechanism is not called -- which could include client side crashing
for instance, or just not calling it, which, asfaik is okay in terms of
the SASL protocol specification (and perhaps something in addition to
this?).

In any event, in this light, resetMechanism is probably not the best
place to put the constructor.

So now that you mention it, why not destroy the password as soon as
possible?  It's not needed beyond initialization is it?, so once that's
done, perhaps that'd be the time to call the destructor.  Looks like
that would be right after or within sendPublicKey.

I note that ClientMechanism implements dispose(), but it is empty, and
is not overridden in SRPClient.  Perhaps this would be the place to put
the destructor call?  But again, relies on client to make the dispose()
call.

There's also the ClientStore session timeout which causes the mechanism
to be, if you will, ultimately reset -- that is, reset to the extent the
session can't be reused.

Bryan

>
> - --
> Casey Marshall || address@hidden
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>
>
> iD8DBQFAheMbgAuWMgRGsWsRAkBFAJ46OttfYCWkQ5Dk+1mKr8xLeEl4IgCgimeU
> fPQLvvatEtY3U+6mWZNORTU=
> =49Yu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> gnu-crypto-discuss mailing list
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/gnu-crypto-discuss

- --
Nothing in the world has more potential for beauty than woman.  Nothing
has more potential to destroy it, than the world. - (Anonymous)

http://www.wecs.com/content.htm

This signature file is generated by Pick-a-Tag !
Written by Jeroen van Vaarsel
http://www.google.com/search?hl=en&ie=ISO-8859-1&q=pick-a-tag
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32) - GPGrelay v0.94

iD8DBQFAhiXi8CguVNZ0FHARApPxAJwNufa8Nu0bSzQ/7vT+vG1QdvBaUACfXL8A
o4TBxZCVV4gZ+MEsF1mK2Kg=
=WajR
-----END PGP SIGNATURE-----
reply via email to
[Prev in Thread] Current Thread [Next in Thread]