Re: [GNU Crypto] Passwords Immutable?

gnu-crypto-discuss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU Crypto] Passwords Immutable?

From:	Casey Marshall
Subject:	Re: [GNU Crypto] Passwords Immutable?
Date:	Mon, 03 May 2004 20:33:12 -0700
User-agent:	Gnus/5.1002 (Gnus v5.10.2) Emacs/21.2 (gnu/linux)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Bryan" == Bryan Hoover <address@hidden> writes:

Bryan> Casey Marshall wrote:
>> - It's our convention to not use redundant modifiers and
>> declarations; this includes `throws' clauses for unchecked
>> exceptions (although, they should be described in a address@hidden' entry
>> in the javadocs, if it is a public or protected method).

Bryan> Also noticed 'final' was removed from Password method "input
Bryan> only" parameters -- this seems incongruent with the style
Bryan> guidelines -- was intentional?

Nope. I removed them by mistake, shuffling files around.

>> - I put Password into the package gnu.crypto.auth. I'm certain that
>> this class will be useful in other places. The next thing to do is
>> replace char arrays with Password wherever else appropriate.

Bryan> There's a little "gottcha" relative to PlainClient, the plain
Bryan> text password implementation.  Most of the work is done in
Bryan> EvaluateChallenge (id, and password init, as well as
Bryan> evaluation).  All user data is appended to a single
Bryan> StringBuffer, converted to String, and returned as a utf-8 byte
Bryan> array using String's getBytes.

Bryan> Couple things come to mind -- rework, and generalize the
Bryan> Password class idea, to something along the lines of a
Bryan> "SecureData" class, and add an append method to it.  Or could
Bryan> just add an append method to the Password class.  Only
Bryan> difference between the two really, is metaphorical.

`append' would break the contract of immutability, and I think making
them immutable, but destroyable, is best.

Bryan> Could handwave, with the observation that plain text ain't any
Bryan> too secure anyway :), but CramMD5Client does something similar
Bryan> with String data, where again, an append method would take care
Bryan> of it.

There really isn't much sense is worrying about PLAIN. Probably the
best thing to do is use CharEncoder or OutputStreamWriter and
ByteArrayOutputStream.

- -- 
Casey Marshall || address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/>

iD8DBQFAlw7tgAuWMgRGsWsRAkfmAKCHUVEku/35BoSZQLMRDKdbAXL5OwCdHUO3
aZE15/By4Va4o1meRpjiBOg=
=jub9
-----END PGP SIGNATURE-----

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/01
- Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/01
- Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/01
  - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/01
    - Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/01
    - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/01
    - Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/02
    - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/02
  - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/03
    - Re: [GNU Crypto] Passwords Immutable?, Casey Marshall <=
    - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/04
    - Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/04
    - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/09
    - Re: [GNU Crypto] Passwords Immutable?, Casey Marshall, 2004/05/09
    - Re: [GNU Crypto] Passwords Immutable?, Bryan Hoover, 2004/05/09

Prev by Date: Re: [GNU Crypto] Passwords Immutable?
Next by Date: Re: [GNU Crypto] Passwords Immutable?
Previous by thread: Re: [GNU Crypto] Passwords Immutable?
Next by thread: Re: [GNU Crypto] Passwords Immutable?
Index(es):
- Date
- Thread