iTunesŪ Authentication Documentation Back to home / programs <../> / itunes <./>. *New for iTunes 4.5 - 29 April 2004.* Yesterday Apple released a new version of iTunes which updates the DAAP protocol. Amongst these changes to the protocol include a new authentication algorithm. They have changed the strings that get used for the hash table, include a few more things in the hash table - and more importantly, no longer use a real MD5 algorithm. Apple (obviously in a futile attempt to prevent people from reversing the algorithm) has changed one byte in the MD5 Transformation algorithm. Check out authentication/md5.c (in libopendaap <./libopendaap.html>) to see which one it is. Anyhow, libopendaap <./libopendaap.html> 0.2.0 supports this new stuff. *About iTunes sharing and authentication* After the release of ApplesŪ iTunes with the really cool feature that lets iTunes users play songs in iTunes shares on the network, that is other computers running iTunes on the same local network, there was quite a number of applications released to access these shares. The ability to access these shares through third party applications is very useful to me. All of my mp3s are stored on my Apple laptop in iTunes, however I like to be able to play them on my Linux desktop also. With a recent release if iTunes, however, Apple removed the ability for other applications to connect to iTunes shares. They did this by introducing a simple 'authentication' token to their protocol. Whenever an iTunes client tries to talk to another iTunes client, it must send along a special, unique, authentication tag. The iTunes 'host' then checks that the authentication tag has been generated in the correct manner, before letting the 'client' connect. *Technical details of the authentication tag* It turns out that his authentication tag is MD5 hash of several unique strings (which themselves have been MD5'd) and a string representing the current request. *Legalities* The algorithm was discovered using a combination of several complicated reverse engineering tools and methods. Although I am not a lawyer, I believe that this is totally in line with the law. The reverse engineering was done for the sole purpose of interoperability, and I believe falls well within fair use. *Implementation:* An implementation, which is available under a BSD style license, is available from my own daap library - libopendaap <./libopendaap.html>, and can be found in authentication/hasher.c *Note to developers:* Please, before you start writing yet another DAAP library using information from this web page, please consider contributing to libopendaap <./libopendaap.html> instead. The wheel has been reinvented enough already! If you require any features in libopendaap, just let me know. *Author:* This algorithm was reverse engineered and first re-implemented by myself, David Hammerton. Contact me at http://crazney.net *Contact info:* See the front page for contact details. Apple and iTunes are registered trademarks of Apple Computer, Inc.