SyncML Authentication Types

Basic Authentication

Basic Authentication uses only a username or login and a password. These two strings are concatenated with a colon (":") between them (e.g., "billg:snookums"). To keep from transmitting this sensitive data in the clear, SyncML products must encode this string in Base64 encoding. This simple authentication is generally fine for nonsensitive datastores, but may not be adequate for situations where eavesdropping may be a problem, since the encoded string is easily decoded.

An example Basic Authentication for a username of 'userid' and a password of 'password' that has been encoded in Base64 looks like this: 'dXNlcmlkOnBhc3N3b3Jk'. Base64 encoding is described later on in this chapter.

MD5 Authentication

The MD5 algorithm is defined in the IETF RFC 1321 "MD5 Message-Digest Algorithm" [RFC1321]. The MD5 digest is an algorithm that produces a unique 128-bit value when passed in an arbitrary set of data. This data can be text strings or binary values. Note that it is not possible to reproduce the data from the digest the MD5 algorithm only generates 128 bits of data via a one-way algorithm. The MD5 digest is also useful in determining whether a set of data has been modified in transit, since different data will produce a different digest value.

MD5 Authentication in version 1.0.1

For version 1.0.1 of SyncML, MD5 Authentication is built by creating a temporary string by concatenating the username or login, a colon, the password, another colon, and the recipient-specified Nonce. This temporary string is then run through the MD5 algorithm, producing the MD5 Authentication. The value is placed directly into a WBXML [WBXML01] message, but must be Base64 encoded for XML messages. Readers familiar with HTTP [RFC2616] may note that this is not the same methodology used in the HTTP header.

Here is how the credentials with MD5 will look for a username of 'Bruce2', a password of 'OhBehave' and a Nonce of 'Nonce'. The temporary string will look like this: 'Bruce2:OhBehave:Nonce'.

 <Cred>     <Meta><Type xmlns='syncml:metinf'>syncml:auth-md5</Type></Meta>     <Data>UmkqAAZhiQvXXhfaf/u+OQ==</Data> </Cred> 

The algorithm for creating this value looks like the following:

 MDAuth is resulting authentication value MD5 is the method of producing a MD5 digest MDAuth = MD5( username + ':' + password + ':' + nonce ) 

MD5 Authentication in version 1.1

For version 1.1 of SyncML, MD5 Authentication is built differently to allow for separation of authentication from the SyncML processing. The algorithm for creating the MD5 Authentication looks like the following:

 MD5Auth is the resulting authentication value MD5 is the method of producing a MD5 digest B64 is the method of Base64 encoding an arbitrary value UP is the concatenation of the username and password MD5(UP) is the MD5 Digest of UP MD5Auth = MD5( B64(MD5(UP) + ':' + Nonce ) 

The same values as the above example (Bruce2, OhBehave, and Nonce) will produce this XML Cred example (with the data base64 encoded):

 <Cred>     <Meta><Type xmlns='syncml:metinf'>syncml:auth-md5</Type></Meta>     <Data>Zz6EivR3yeaaENcRN6lpAQ==</Data> </Cred> 

The MD5Auth value is placed directly into a WBXML message, but must be Base64 encoded for XML messages.

This method is preferred, since it is no longer required to store the password in a datastore accessible to the Sync Engine. The MD5(UP) can be passed directly to an Authentication service for confirmation, and the password is never transmitted over the network.

Base64 Encoding

Base64 Encoding is a simple procedure for turning arbitrary data into standard ASCII (7-bit) data. It also has the nice side benefit of turning simple strings into opaque, or humanly unreadable, data. The process of Base64 encoding takes 24-bit values and treats them as four 6-bit values. Each 6-bit value is used as an index into a printable character table. Table 8-1 contains the Base64 alphabet used for this encoding.