Hello All,

Question regarding FTS-1027 section 1.7 "Example of Frame Exchange During CRAM Authentication"

In the example, the Originating side returns

M_PWD "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"

This hex value appears to be incorrect. I tested with two implementations of the CRAM-MD5 algorithm, and in both cases, the same hex value was calculated using the password and challenge hex string from the example, which differed from the value shown in the document.

Password: tanstaaftanstaaf
Challenge: f0315b074d728d483d6887d0182fc328
Expected: 56be002162a4a15ba7a9064f0c93fd00 <- From section 1.7 example Result: 1503922bb6a38bc934bca7afeb522d28 <- From both MD5 algorithms

Which is correct - the value shown in section 1.7 or the test result value?

Thank you,
Jason Brady

--- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
* Origin: Shady Labs (1:218/910)

Hello Jason!

23 Apr 24 16:11, you wrote to all:

Question regarding FTS-1027 section 1.7 "Example of Frame Exchange
During CRAM Authentication"

In the example, the Originating side returns

M_PWD "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"

This hex value appears to be incorrect. I tested with two
implementations of the CRAM-MD5 algorithm, and in both cases, the same
hex value was calculated using the password and challenge hex string
from the example, which differed from the value shown in the document.

Password: tanstaaftanstaaf
Challenge: f0315b074d728d483d6887d0182fc328
Expected: 56be002162a4a15ba7a9064f0c93fd00 <- From section 1.7
example
Result: 1503922bb6a38bc934bca7afeb522d28 <- From both MD5
algorithms

Which is correct - the value shown in section 1.7 or the test result value?

I will do some testing and attempt to validate your concern.

Andrew

--- GoldED+/LNX 1.1.5-b20240209
* Origin: From the Desk of the FTSC Administrator (1:320/219)

Re: FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example
By: Jason Brady to All on Tue Apr 23 2024 04:11 pm

Howdy,

Question regarding FTS-1027 section 1.7 "Example of Frame Exchange During CRAM Authentication"
Password: tanstaaftanstaaf
Challenge: f0315b074d728d483d6887d0182fc328
Expected: 56be002162a4a15ba7a9064f0c93fd00 <- From section 1.7 example Result: 1503922bb6a38bc934bca7afeb522d28 <- From both MD5 algorithms

Which is correct - the value shown in section 1.7 or the test result value?

With those details, the correct response would be 1503922bb6a38bc934bca7afeb522d28.


...δεσ∩
--- SBBSecho 3.20-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (3:633/509)

Hello deon,

>> With those details, the correct response would be 1503922bb6a38bc934bc
>> a7afeb522d28.

Thank you for the confirmation! Good to know that both algorithms produce the correct response value.

Regarding FTS-1027 section 1.7, can the example be updated, or is it illustrative only? If I may make a suggestion, I would use a password more in line with one assigned by an NC (such as "BOBBY123") and show the actual response (digest) resulting from that password and a random hex challenge string like the one in the current example.

Thank you,
Jason Brady

--- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
* Origin: Shady Labs (1:218/910)

Hello Jason,

On Saturday April 27 2024 13:11, you wrote to deon:

Regarding FTS-1027 section 1.7, can the example be updated, or is it illustrative only? If I may make a suggestion, I would use a password
more in line with one assigned by an NC (such as "BOBBY123")

"BOBBY123" is NOT a password I would use or a type of password that I would encourage other Fidonet collegues to use. So I strongly advise against using it as an example in an FTSC documentation.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20130111
* Origin: Klein Schnøørd (2:280/464.5555)

Hi Michiel,

>> "BOBBY123" is NOT a password I would use or a type of password that I
>> would encourage other Fidonet collegues to use. So I strongly advise a
>> gainst using it as an example in an FTSC documentation.

What would you propose as a more suitable and appropriate password for the example? Or, continue to use the existing password, which is stated in the first line of section 1.7 "(Password here is tanstaaftanstaaf)"?

Regards,
Jason

--- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
* Origin: Shady Labs (1:218/910)

Re: FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example
By: Michiel van der Vlist to Jason Brady on Sun Apr 28 2024 08:58 am

Hello Jason,

On Saturday April 27 2024 13:11, you wrote to deon:

Regarding FTS-1027 section 1.7, can the example be updated, or is it illustrative only? If I may make a suggestion, I would use a password more in line with one assigned by an NC (such as "BOBBY123")

"BOBBY123" is NOT a password I would use or a type of password that I would encourage other Fidonet collegues to use. So I strongly advise against using it as an example in an FTSC documentation.

Why burn a "good password" in a standards document? It's common practice to use bad passwords as example source material for hashes and digests in standards.
https://www.rfc-editor.org/rfc/rfc1321
--
digital man (rob)

Synchronet/BBS Terminology Definition #49:
KD = King Drafus (Allen Christiansen)
Norco, CA WX: 74.8°F, 46.0% humidity, 5 mph W wind, 0.00 inches rain/24hrs
--- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Hello Jason,

On Monday April 29 2024 08:37, you wrote to me:

What would you propose as a more suitable and appropriate password for
the example? Or, continue to use the existing password, which is
stated in the first line of section 1.7 "(Password here is tanstaaftanstaaf)"?

I was triggered by your suggestion to use an actual password that an NC would use. Such as BOBBY123. A password that IMNSHO an NC - nor anyone else - should actually use. On second thoughts, using "12345", "PASSWORD", "EXAMPLE" or whatever is fine ro use as an example as long as it is clear that it is just that: an example, not something to actually use.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20130111
* Origin: Klein Schnøørd (2:280/464.5555)

Hello Rob,

On Monday April 29 2024 12:51, you wrote to me:

"BOBBY123" is NOT a password I would use or a type of password that
I would encourage other Fidonet collegues to use. So I strongly
advise against using it as an example in an FTSC documentation.

Why burn a "good password" in a standards document? It's common
practice to use bad passwords as example source material for hashes
and digests in standards.

Point taken. See my previous message.


Cheers, Michiel

--- GoldED+/W32-MSVC 1.1.5-b20130111
* Origin: Klein Schnøørd (2:280/464.5555)

>> "BOBBY123" is NOT a password I would use or a type of password that I
>> would encourage other Fidonet collegues to use. So I strongly advise
>> gainst using it as an example in an FTSC documentation.

What would you propose as a more suitable and appropriate password for the example? Or, continue to use the existing password, which is stated in the first line of section 1.7 "(Password here is tanstaaftanstaaf)"?

He's an old pathetic techno-dick easily "triggered" and can F off. It doesn't matter what example you use. Who cares. Anyone looking to understand what
is being discussed would get it.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (1:229/426)

Hi Michiel, Rob and Team,

>> Point taken. See my previous message.

Point taken here as well!

Thank you everyone for your time and consideration. Based on your feedback I would like to propose the following change to Section 1.7:

Replace "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"
with "CRAM-MD5-1503922bb6a38bc934bca7afeb522d28"

The replacement value reflects the correct digest produced by the algorithm given the example password and challenge string inputs.

Good discussion everyone; much appreciated.

Regards,
Jason

--- PCF2OBM 1.3 OpenVMS AXP 8.4-2L1
* Origin: Shady Labs (1:218/910)

Re: FTS-1027 Section 1.7 CRAM-MD5 Frame Exchange Example
By: Jason Brady to Michiel van der Vlist on Tue Apr 30 2024 10:46 am

Thank you everyone for your time and consideration. Based on your feedback I would like to propose the following change to Section 1.7:

Replace "CRAM-MD5-56be002162a4a15ba7a9064f0c93fd00"
with "CRAM-MD5-1503922bb6a38bc934bca7afeb522d28"

I support this change.
--
digital man (rob)

Steven Wright quote #29:
To steal ideas from one person is plagiarism; to steal from many is research. Norco, CA WX: 67.2°F, 61.0% humidity, 3 mph W wind, 0.00 inches rain/24hrs
--- SBBSecho 3.20-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Good ${greeting_time}, Carol!

30 Apr 2024 17:01:08, you wrote to Rob Swindell:

Why burn a "good password" in a standards document? It's common
practice to bad passwords as example source material for hashes and
digests in standards https://www.rfc-editor.org/rfc/rfc1321

Agreed. A sample should be something like yourpassword

Being here for many years, you still don't know about 8-symbols limit still existing in other software and the common practice to use one password for all FTN stuff?

My suggestion: "password". Or, even better, "pAs5w0rD".
Both are (1) readable and (2) inacceptable for actual use.


--
Alexey V. Vissarionov aka Gremlin from Kremlin
gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

... GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
--- /bin/vi
* Origin: ::1 (2:5020/545)