Password Encryption On AIM’s TOC Protocol
I was just reading the code for BlueTOC, an open source PHP library that allows web applications to connect with AIM servers and hold chat sessions, and I noticed something interesting. Instead of encrypting the login password for transport, they use a custom one-way hash they call "roasting" and before they roast anything, they need a special AIM signin code that looks unnecessarily complicated:
function get_signin_code()
{
// We get the ascii value of the first character of
// the username and password and then we subtract
// 96 from each value
$name = ord( strtolower( str_replace( " ", "", $this->aim_user[0] ) ) ) - 96;
$pass = ord( $this->aim_pass[0] ) - 96;
// Then we do some math
$a = $name * 7696 + 738816;
$b = $name * 746512;
$c = $pass * $a;
// And then we have some weird signon code we need
return $c - $a + $b + 71665152;
}
function roast_password( $password )
{
$roasted = '0x'; // Let's start the roasted password with 0x
// For each letter of the password, let's "roast it"
for( $i = 0; $i < strlen( $password ); $i++ )
{
$roasted .= bin2hex( $password[$i] ^ $this->roast[$i % 7] );
}
return $roasted;
}
It's always interesting to see how other companies handle security, and this is just one way that America Online probably devised a few years ago that stayed in place through today.