2.2.5.18.1 Password Encoding

The implementer MUST use the following algorithm to encode the password. However, the implementer MAY use alternate data structures as long as the resulting value is the same.

First, the cleartext password represented as a Unicode string in little-endian format is encoded using the following sequence:

PasswordLength: The number of characters in the cleartext password.

EncodedPassword: A buffer of length ((PasswordLength + 2) * 2) bytes.

Seed: A single byte.

The buffer EncodedPassword MUST be initialized such that every bit is zero.

Seed MUST be equal to a nonzero value of 8 bits chosen at random.

Copy the cleartext password into the buffer EncodedPassword beginning at the third byte (zero-based index of 2).

The third byte (zero-based index 2) of the buffer EncodedPassword is set to the bitwise XOR of the existing third byte and the bitwise OR value of Seed combined with 0x43.

For each subsequent byte I, beginning at index 3, it MUST be set equal to the result of EncodedPassword[I] combined using bitwise XOR with the result of a bitwise XOR operation of EncodedPassword[I-1] with the value of Seed. This operation MUST be completed for all subsequent bytes except the last two bytes of EncodedPassword.

The first byte of the buffer EncodedPassword MUST be equal to the value of Seed.

The second byte of the buffer EncodedPassword MUST be equal to 0.

The following is an example of the preceding algorithm:

  • PasswordLength is the number of characters in the cleartext password.

  • EncodedPassword is a zero-initialized buffer of ((PasswordLength + 2) * 2) bytes.

  • The Seed is set to a nonzero value chosen at random, 0xAB in this example.

  • Copy the cleartext password (which is a Unicode string in little-endian format) into EncodedPassword beginning at the third byte (zero-based index of 2). In this example, the cleartext password is "PASSWORD".

Then the buffer, EncodedPassword, interpreted as an array of double byte characters, or wchar_t, could be represented graphically as:

EncodedPassword characters

Figure 3: EncodedPassword characters

Then the buffer, EncodedPassword, interpreted as an array of bytes, where each element is depicted as a hexadecimal 8-bit value, could be represented graphically as:

EncodedPassword buffer

Figure 4: EncodedPassword buffer

The third byte is set as follows.

EncodedPassword[2] = EncodedPassword[2] XOR (Seed OR 0x43)

Subsequent bytes, except for the last two, are set as follows:

EncodedPassword[I] = EncodedPassword[I] XOR (EncodedPassword[I-1] XOR Seed)

In this way, the caller communicates the Seed necessary for decoding Buffer at the server (2) during message processing.

Each iteration of the encoding algorithm applied to the encoding buffer follows.

 00 00 50 00 41 00 53 00 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 00 41 00 53 00 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 41 00 53 00 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 00 53 00 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 53 00 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 00 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 53 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 00 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 57 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 00 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 4F 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 00 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 49 52 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 49 B0 00 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 49 B0 1B 44 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 49 B0 1B f4 00 00 00
 00 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 49 B0 1B f4 5F 00 00

Finally set the first byte equal to the Seed and the second byte to 0.

 AB 00 BB 10 FA 51 A9 02 FA 51 AD 06 E2 49 B0 1B F4 5F 00 00

The encoding is complete. The example buffer would look like the following:

EncodedPassword complete

Figure 5: EncodedPassword complete