2.2.4 Session Authorization Token

The session authorization token is used only in version 3 and is used to prove that the creator of the token has the full connection string and password when the connection is established. To create an authorization token, the expert or novice MUST follow these steps:

  1. Form the base Unicode string by concatenating the password with the string "NOVICE" or "EXPERT". If a token for the novice is being created, use the string "NOVICE". If the token is for the expert, use the string "EXPERT". In this concatenation, the string "EXPERT" or "NOVICE" is appended to the password. Only the last 6 bytes of the Remote Assistance  password are used to create the token.

  2. Append the connection string to the string formed in step 1 to form a hash input. For the first round of hashing, 20 bytes of 0 are appended to the end of hash input.

  3. Use the Secure Hashing Algorithm 1 (SHA-1) to convert the hash input to a binary value (160 bits).

  4. Append this value to the string formed in step 2 to form a new hash input.

  5. Repeat steps 3 and 4 100,000 times.

This algorithm's main intent is to make it computationally expensive to create an exhaustive list of all possible tokens and their matching passwords or valid connection strings.

The following is an example of a token string before being hashed repeatedly.

 ABCDEFNOVICE<E>
   <A KH="YiKwWUY8Ioq5NB3wAQHSbs5kwrM=" ID="8rYm30RBW8/4dAWoUsWbFCF5jno/7jr5t
    NpHQc2goLbw4uuBBJvLsU02YYLlBMg5" />
     <C>
         <T ID="1" SID="1440550163">
             <L P="49749" N="2001:4898:1a:5:79e2:3356:9b22:3470"/>
             <L P="49751" N="172.31.250.64"/>
         </T>
     </C>
 </E>
  
  

Here ABCDEF is the password, and the token is being created to validate the novice.