Re: Confused on best secuirty method...

["Kevin J. Menard, Jr." <kmenard@wpi.edu>]

Hey Matt,


Wednesday, July 25, 2001, 9:24:48 AM, you wrote:

MW>         I've been playing around with OpenLDAP here for the past week very 
MW> throughly.. however I'm still a bit confused on what would be the most secure 
MW> method of transmiting passwords and storing them as there seems to be lots of 
MW> options. More than likely, I will be having one or two machines running slapd 
MW> and slurpd, and then serveral other webservers making calls to these from 
MW> various PHP scripts. What would be the best method of securing the passwords 
MW> being transmitted between these LDAP servers and website server machines?
MW>         MD5 or SSHA is the only method that I have been able to get to work 
MW> correctly, and I guess that's called a 'simple bind.' While that seems 
MW> perfectly fine to me to store that password in the directory as a MD5 or 
MW> such, when logging in, isn't the MD5 or SSHA always going to be the same??

SSHA is a seeded algorithm and produces a unique result every time.
However, SSL/TLS is still in order, because it is possible, albeit very
hard, to crack that password hash, if it's sniffed being sent in the clear.
Actually, I think you can even send that hash that you sniff right back at
openldap and it would authenticate.  So, you're really only protecting the
cleartext of the password.





-- 
 Kevin