• FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example

    From Jason Brady@1:218/910 to All on Tue Apr 23 16:11:00 2024
    Hello All,

    Question regarding FTS-1027 section 1.7 "Example of Frame Exchange During CRAM Authentication"

    In the example, the Originating side returns

    M_PWD "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"

    This hex value appears to be incorrect. I tested with two implementations of the CRAM-MD5 algorithm, and in both cases, the same hex value was calculated using the password and challenge hex string from the example, which differed from the value shown in the document.

    Password: tanstaaftanstaaf
    Challenge: f0315b074d728d483d6887d0182fc328
    Expected: 56be002162a4a15ba7a9064f0c93fd00 <- From section 1.7 example Result: 1503922bb6a38bc934bca7afeb522d28 <- From both MD5 algorithms

    Which is correct - the value shown in section 1.7 or the test result value?

    Thank you,
    Jason Brady

    --- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
    * Origin: Shady Labs (1:218/910)
  • From Andrew Leary@1:320/219 to Jason Brady on Wed Apr 24 12:19:02 2024
    Hello Jason!

    23 Apr 24 16:11, you wrote to all:

    Question regarding FTS-1027 section 1.7 "Example of Frame Exchange
    During CRAM Authentication"

    In the example, the Originating side returns

    M_PWD "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"

    This hex value appears to be incorrect. I tested with two
    implementations of the CRAM-MD5 algorithm, and in both cases, the same
    hex value was calculated using the password and challenge hex string
    from the example, which differed from the value shown in the document.

    Password: tanstaaftanstaaf
    Challenge: f0315b074d728d483d6887d0182fc328
    Expected: 56be002162a4a15ba7a9064f0c93fd00 <- From section 1.7
    example
    Result: 1503922bb6a38bc934bca7afeb522d28 <- From both MD5
    algorithms

    Which is correct - the value shown in section 1.7 or the test result value?

    I will do some testing and attempt to validate your concern.

    Andrew

    --- GoldED+/LNX 1.1.5-b20240209
    * Origin: From the Desk of the FTSC Administrator (1:320/219)
  • From deon@3:633/509 to Jason Brady on Thu Apr 25 21:35:04 2024
    Re: FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example
    By: Jason Brady to All on Tue Apr 23 2024 04:11 pm

    Howdy,

    Question regarding FTS-1027 section 1.7 "Example of Frame Exchange During CRAM Authentication"
    Password: tanstaaftanstaaf
    Challenge: f0315b074d728d483d6887d0182fc328
    Expected: 56be002162a4a15ba7a9064f0c93fd00 <- From section 1.7 example Result: 1503922bb6a38bc934bca7afeb522d28 <- From both MD5 algorithms

    Which is correct - the value shown in section 1.7 or the test result value?

    With those details, the correct response would be 1503922bb6a38bc934bca7afeb522d28.


    ...δεσ∩
    --- SBBSecho 3.20-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (3:633/509)
  • From Jason Brady@1:218/910 to deon on Sat Apr 27 13:11:00 2024
    Hello deon,

    >> With those details, the correct response would be 1503922bb6a38bc934bc
    >> a7afeb522d28.

    Thank you for the confirmation! Good to know that both algorithms produce the correct response value.

    Regarding FTS-1027 section 1.7, can the example be updated, or is it illustrative only? If I may make a suggestion, I would use a password more in line with one assigned by an NC (such as "BOBBY123") and show the actual response (digest) resulting from that password and a random hex challenge string like the one in the current example.

    Thank you,
    Jason Brady

    --- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
    * Origin: Shady Labs (1:218/910)
  • From Michiel van der Vlist@2:280/464.5555 to Jason Brady on Sun Apr 28 08:58:03 2024
    Hello Jason,

    On Saturday April 27 2024 13:11, you wrote to deon:

    Regarding FTS-1027 section 1.7, can the example be updated, or is it illustrative only? If I may make a suggestion, I would use a password
    more in line with one assigned by an NC (such as "BOBBY123")

    "BOBBY123" is NOT a password I would use or a type of password that I would encourage other Fidonet collegues to use. So I strongly advise against using it as an example in an FTSC documentation.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20130111
    * Origin: Klein Schnøørd (2:280/464.5555)
  • From Jason Brady@1:218/910 to Michiel van der Vlist on Mon Apr 29 08:37:00 2024
    Hi Michiel,

    >> "BOBBY123" is NOT a password I would use or a type of password that I
    >> would encourage other Fidonet collegues to use. So I strongly advise a
    >> gainst using it as an example in an FTSC documentation.

    What would you propose as a more suitable and appropriate password for the example? Or, continue to use the existing password, which is stated in the first line of section 1.7 "(Password here is tanstaaftanstaaf)"?

    Regards,
    Jason

    --- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
    * Origin: Shady Labs (1:218/910)
  • From Rob Swindell@1:103/705 to Michiel van der Vlist on Mon Apr 29 12:51:09 2024
    Re: FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example
    By: Michiel van der Vlist to Jason Brady on Sun Apr 28 2024 08:58 am

    Hello Jason,

    On Saturday April 27 2024 13:11, you wrote to deon:

    Regarding FTS-1027 section 1.7, can the example be updated, or is it illustrative only? If I may make a suggestion, I would use a password more in line with one assigned by an NC (such as "BOBBY123")

    "BOBBY123" is NOT a password I would use or a type of password that I would encourage other Fidonet collegues to use. So I strongly advise against using it as an example in an FTSC documentation.

    Why burn a "good password" in a standards document? It's common practice to use bad passwords as example source material for hashes and digests in standards.
    https://www.rfc-editor.org/rfc/rfc1321
    --
    digital man (rob)

    Synchronet/BBS Terminology Definition #49:
    KD = King Drafus (Allen Christiansen)
    Norco, CA WX: 74.8°F, 46.0% humidity, 5 mph W wind, 0.00 inches rain/24hrs
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Michiel van der Vlist@2:280/464.5555 to Jason Brady on Mon Apr 29 22:33:38 2024
    Hello Jason,

    On Monday April 29 2024 08:37, you wrote to me:

    What would you propose as a more suitable and appropriate password for
    the example? Or, continue to use the existing password, which is
    stated in the first line of section 1.7 "(Password here is tanstaaftanstaaf)"?

    I was triggered by your suggestion to use an actual password that an NC would use. Such as BOBBY123. A password that IMNSHO an NC - nor anyone else - should actually use. On second thoughts, using "12345", "PASSWORD", "EXAMPLE" or whatever is fine ro use as an example as long as it is clear that it is just that: an example, not something to actually use.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20130111
    * Origin: Klein Schnøørd (2:280/464.5555)
  • From Michiel van der Vlist@2:280/464.5555 to Rob Swindell on Mon Apr 29 22:38:49 2024
    Hello Rob,

    On Monday April 29 2024 12:51, you wrote to me:

    "BOBBY123" is NOT a password I would use or a type of password that
    I would encourage other Fidonet collegues to use. So I strongly
    advise against using it as an example in an FTSC documentation.

    Why burn a "good password" in a standards document? It's common
    practice to use bad passwords as example source material for hashes
    and digests in standards.

    Point taken. See my previous message.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20130111
    * Origin: Klein Schnøørd (2:280/464.5555)
  • From Nick Andre@1:229/426 to Jason Brady on Mon Apr 29 18:33:43 2024

    >> "BOBBY123" is NOT a password I would use or a type of password that I
    >> would encourage other Fidonet collegues to use. So I strongly advise
    >> gainst using it as an example in an FTSC documentation.

    What would you propose as a more suitable and appropriate password for the example? Or, continue to use the existing password, which is stated in the first line of section 1.7 "(Password here is tanstaaftanstaaf)"?

    He's an old pathetic techno-dick easily "triggered" and can F off. It doesn't matter what example you use. Who cares. Anyone looking to understand what
    is being discussed would get it.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From Jason Brady@1:218/910 to Michiel van der Vlist on Tue Apr 30 10:46:00 2024
    Hi Michiel, Rob and Team,

    >> Point taken. See my previous message.

    Point taken here as well!

    Thank you everyone for your time and consideration. Based on your feedback I would like to propose the following change to Section 1.7:

    Replace "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"
    with "CRAM-MD5-1503922bb6a38bc934bca7afeb522d28"

    The replacement value reflects the correct digest produced by the algorithm given the example password and challenge string inputs.

    Good discussion everyone; much appreciated.

    Regards,
    Jason

    --- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
    * Origin: Shady Labs (1:218/910)
  • From Rob Swindell@1:103/705 to Jason Brady on Tue Apr 30 11:12:00 2024
    Re: FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example
    By: Jason Brady to Michiel van der Vlist on Tue Apr 30 2024 10:46 am

    Thank you everyone for your time and consideration. Based on your feedback I would like to propose the following change to Section 1.7:

    Replace "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"
    with "CRAM-MD5-1503922bb6a38bc934bca7afeb522d28"

    I support this change.
    --
    digital man (rob)

    Steven Wright quote #29:
    To steal ideas from one person is plagiarism; to steal from many is research. Norco, CA WX: 67.2°F, 61.0% humidity, 3 mph W wind, 0.00 inches rain/24hrs
    --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Alexey Vissarionov@2:5020/545 to Carol Shenkenberger on Fri May 3 08:18:48 2024
    Good ${greeting_time}, Carol!

    30 Apr 2024 17:01:08, you wrote to Rob Swindell:

    Why burn a "good password" in a standards document? It's common
    practice to bad passwords as example source material for hashes and
    digests in standards https://www.rfc-editor.org/rfc/rfc1321
    Agreed. A sample should be something like yourpassword

    Being here for many years, you still don't know about 8-symbols limit still existing in other software and the common practice to use one password for all FTN stuff?

    My suggestion: "password". Or, even better, "pAs5w0rD".
    Both are (1) readable and (2) inacceptable for actual use.


    --
    Alexey V. Vissarionov aka Gremlin from Kremlin
    gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

    ... GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
    --- /bin/vi
    * Origin: ::1 (2:5020/545)