Re: encrypting authentication vs payload

From: Jeff P. Van Dyke (jpv_at_vandyke.com)
Date: 06/11/03

  • Next message: Laurence Casey: "Idle Time again (OpenSSH_3.6.1p1)" 
    To: "Phil Dibowitz" <phil@ipom.com>, <secureshell@securityfocus.com>
Date: Wed, 11 Jun 2003 09:02:44 -0600

    > At work we'd like to rdist over ssh, but since clearly the data is
    > available on every host, its by no means confidential, and since there
    > is a LOT of it and it has to happen in a small window each night, we'd
    > like to turn off encryption for the session ONLY...
    >
    > I found this in the archives:
    > http://marc.theaimsgroup.com/?l=secure-shell&m=93387968720848&w=2
    >
    > But no one seems to have answered his question... if we set the server
    > and client to accept the '-c none' flag, that doesn't encrypt the
    > authentication anymore does it? (We're using openssh)
    >
    > I have some co-workers who swear that '-c none' in commercial ssh still
    > encrypted the authentication and only sent the session data in the
    > clear... I'm not convinced that is so, anyone know off-hand?
    >
    > Either way, this doesn't seem to, from the docs, to be the behavior of
    > openssh....
    >
    > Comments, suggestions?

    Phil,

    With SSH2, as the protocol is defined, if encryption is turned off,
    the username and password are sent in the clear.

    With public key authentication, the username will be sent in
    the clear, but your private key is never sent on the wire. So,
    this may be an alternative for you.

    I'm pretty sure OpenSSH doesn't support encryption none. Some
    of the commercial vendors include VanDyke allow you to enable
    encryption none.

    Jeff P. Van Dyke
    jpv@vandyke.com
    www.vandyke.com

  • Next message: Laurence Casey: "Idle Time again (OpenSSH_3.6.1p1)"

    Relevant Pages

    • Re: Encryption and authentication
      ... have encryption without authentication? ... it seems that encryption couldn't exist without authentication. ... and example is asymmetric key cryptography technology. ... http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked ...
      (comp.security.firewalls)
    • Re: vb & mssql apps : security issue
      ... So use Windows Authentication rather than SQL Authentication to give the ... >>> You could have the password an encryption of the username. ... So if the username is stored in your database and it isn't ...
      (microsoft.public.sqlserver.security)
    • Re: Signatures and encryption headers
      ... breached when an attacker can modify the message received? ... But I see how the lack of authentication can cause the receiver to act ... not for the iv or other encryption ... A create a payload, S signs it with public key crypto (most likely ...
      (sci.crypt)
    • Re: Ciphers and their effect on the size of data
      ... We have a security-sensitive client that is wants common authentication between a J2EE environment and a "fat windows client". ... we'll also be facing 4/3 expansion of the payload after encryption. ... This password field will include a digital signature, or the digital signature will be in another XML element in that document. ...
      (sci.crypt)
    • Re: Ciphers and their effect on the size of data
      ... The user goes to the J2EE server, ... and submit them to the UNIX-hosted service for authentication. ... authenticate to the J2EE environment first, ... facing 4/3 expansion of the payload after encryption (for base64 ...
      (sci.crypt)
    • Quantcast