Re: SSL and Kerberos

From: Seth Arnold (sarnold@wirex.com)
Date: 02/07/03

  • Next message: Craig Holmes: "Re: LKM Trojan installed"
    Date: Fri, 7 Feb 2003 13:34:03 -0800
    From: Seth Arnold <sarnold@wirex.com>
    To: focus-linux@securityfocus.com
    
    
    

    On Fri, Feb 07, 2003 at 12:23:15PM -0500, Leland T. Snyder wrote:
    > Let's say I have a service that you log into using SSL.
    > Since the public key and private keys are the same and the handshake is the
    > same (i.e. you know the first packets are for login/password) even thoe as a
    > sniffer of the packets I can't read them.

    This is incorrect.

    The SSL handshake involves computing shared values from random sources
    of information. So the handshake will look different with every SSL
    connection. By the time that the application's data (login/passwd) is
    sent, the two sides have negotiated a new shared key for the connection,
    and are using new random initialization vectors, to ensure that
    dictionary attacks and reply attacks cannot take place.

    Where SSL and Kerberos make the most sense is when you'd like the
    traffic of the session to be private to the two endpoints. Kerberos does
    a good job of providing authentication, but does nothing for secrecy of
    the established connection. SSL can actually do both authentication and
    secrecy, but is lacking the centralized framework of Kerberos.

    Different tools, different purposes, and they may or may not combine
    well. But you won't need SSL for the reason you mentioned. :)

    -- 
    Join the fight against terrorism by giving up your liberties today!
    
    




    Relevant Pages

    • Re: SSL client in .NET
      ... The SSL logging is for SCHANNEL which IIS use. ... "An SSL client handshake completed successfully. ...
      (microsoft.public.dotnet.security)
    • Re: Cant test SSL enabled website
      ... If you will run your website (SSL website) on port 8080 you will have to ... > Here is the latest SSL Handshake simulation result ...
      (microsoft.public.inetserver.iis.security)
    • Re: Images load take time in https
      ... SSL builds a secure tunnel around a TCP/IP connection. ... This handshake involves multiple network roundtrips and this can ...
      (microsoft.public.inetserver.iis.security)
    • Re: SSL and OWA
      ... relate to SSL in there. ... Handshake: 108 bytes sent ... Verifying server certificate, ... HTTPS: 72 bytes of encrypted data sent ...
      (microsoft.public.inetserver.iis.smtp_nntp)
    • Re: SSL client in .NET
      ... I run my client on Windows XP, ... encryption should be enabled. ... Reason: Error during handshake: 8009030F ... That's when i use IPWorks SSL .NET. ...
      (microsoft.public.dotnet.security)