[Cryptography Team] Daap Implementation

Yann Monclair yann at monclair.info
Tue Nov 7 17:03:50 UTC 2006 

Ron,

I see two possibilities for the error I get:

1. http://crazney.net/programs/itunes/authentication.html
New for iTunes 4.5 - 29 April 2004.

Yesterday Apple released a new version of iTunes which updates the  
DAAP protocol. Amongst these changes to the protocol include a new  
authentication algorithm. They have changed the strings that get used  
for the hash table, include a few more things in the hash table - and  
more importantly, no longer use a real MD5 algorithm.

This is one year after your quote, so I assume it's an update with  
more recent iTunes.

2. Maybe I automatically (not sure how) logout after each request,  
thus expiring the session-id I just gathered, I read that that  
problem occured with wget. if you close the connection. I'll try to  
keep the connection open and see from there

**EDIT** 2. doesn't seem to be the problem, because when after a  
request, I'm still listed as a connected client in iTunes.

Yann

(this may be a resend, my email client sometimes gets confused  
between my different identities...)


On 7 nov. 06, at 17:22, Ron Teitelbaum wrote:

> Yann,
>
> It sure looks to me like the sessionID is returned from the server  
> from the
> logon.  So you logon and get back a loginresponse with has the 4 byte
> sessionid attached to it.  Maybe the problem you are having is with
> endianness.  What platform are you working on?  Try changing the  
> sessionID
> from AABBCCDD to DDCCBBAA.  If that works then that is your problem  
> and we
> can discuss ways of fixing that for a general implementation.  I  
> don't see
> anything about the response being encrypted or validated, do you  
> have a
> reference to that somewhere?
>
> From: http://molelog.molehill.org/blox/Computers/Macintosh/ 
> DAAP3.writeback
>
> /login
> No arguments required (or apparently used).
>
> The response is too short; my current parser handles this by just  
> stopping
> when it finds an all-0 tag.
>
> dmap.loginresponse                      0x00000024
>  dmap.status                            0x00000004    number
> 0x000000c8(200)
>  dmap.sessionid                         0x00000004    number
> 0x0000040e(1038)
> ==== END ====
>
>
> The dmap.sessionid will be the value for the 'session-id' parameter  
> to the
> following requests.
>
> Ron Teitelbaum
> Squeak Cryptography Team Leader
>
>> -----Original Message-----
>> From: Yann Monclair
>> Sent: Tuesday, November 07, 2006 3:21 AM
>>
>> (Sorry if this is a resend, it seems I sent the first email before
>> being completely registered to the mailing list, it must have been
>> moderated.)
>>
>> Hello,
>>
>> I just started an implementation of the Digital Audio Access Protocol
>> [1] in Squeak. This protocol is used by Apples iTunes [2] to share
>> music over a lan. I found very little documentation[3] on this
>> protocol, since Apple has decided not to disclose the documentation
>> on its specifics.
>> I have published the little code I wrote so far on SqueakSource [4].
>> I am stuck after the login request. As I understand it, iTunes
>> doesn't send you the session-id, but an encrypted id, leaving you to
>> decrypt it. Unfortunately, Apple added some byte switching or
>> something to the classic MD5 encryption (I'm far from an expert in
>> crypto, so I might not be using the appropriate vocabulary). I found
>> a c library to connect to daap shares [5], but I didn't really get,
>> even after looking at the code.
>>
>> I would appreciate any help to figure this session-id thing out :) I
>> think having a daap implementation in Squeak, can be really useful
>> for multimedia purposes, and we could probably find cool  
>> applications :p
>>
>> Here the code I write in a workspace to get a daapsession
>>
>>   DaapSession connectTo: 'localhost'.
>>
>> this will return a DaapSession knowing the server, the content codes
>> (typing info) and a DaapLogin. the encrytped session-id is accessible
>> via DaapSession>>sid (or DaapLogin>>mlid)
>>
>> Thanks,
>>
>> Yann
>>
>> [1] http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol
>> [2] http://www.apple.com/itunes/overview/
>> [3] http://tapjam.net/daap/
>> [4] http://www.squeaksource.com/daap.html
>> [5] http://crazney.net/programs/itunes/authentication.html
>>
>> _______________________________________________
>> Cryptography mailing list
>> Cryptography at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
>> cryptography
>
>
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

More information about the Cryptography mailing list