Re: Question regarding security programming newsgroups

On 24 Mar 2006 13:29:05 +0100, Volker Birk <bumens@xxxxxxxxxxx> wrote:

Bobby <bobbye@xxxxxxxxxxxx> wrote:
OK, so both sides will be able to initiate a key exchnage,
A initiates to B and B to A.
A will get B's packet and since it is already in a key exchnage with B
check if A < B, if yes , it will continue with the key exchnage, else
it will stop the key exchnage.
The same goes for B - that is what you mean , right ?

Yes.

Regarding your pseudo code :
A wants to send to B:
do
if there is A->B already, then
use A->B
else if there is B->A already, then
use B->A
else
connect
while not using connection yet
when you write A->B - do you mean that A has keys with B?

I mean, A has keys with B, because A initiated key exchange for a
connection to B. With B->A I mean, that A has keys with B, because
B initiated a connection with A.
Why do you have to ask about both cases - lets say A has to ask such a
thing, it actually does a quick lookup in its key db - looking up if
it has keys for B - if it does (and it doesn't matter if the keys were
because of a key negotiation initiated by A or by B), it uses the keys
to encrypt the packet and send it to B

Yes, this is a way it can be implemented. I'm just thinking in connections,
but of course, you can implement it this way.

what do you exactly mean by 'while not using connection yet' ?
I see the states not connected, in connection, connected for a connection.
For a transmission I see waiting for connection, using connection.
sorry, but I still do not understand exactly what you mean here

For the protocol, I see states. For a transmission, I see states.
Of course, "in connection" means more states, the ones for the key
exchange (three way handshake).

BTW: nice idea! One should hack this and supply as a patch to an existing
kernel, like the Linux kernel or some BSD kernel.
which idea is a nice idea

A nice idea is to handle this transparently to the programmer _and_
transparently to the admininstrator.

OK, so I assume you mean the idea of replacing all the calls to the
socket api (send/recv/connect/accept etc.) with calls to a secure
socket API, right ?

If help is appreciated, I'd like to join in.
It could be a good idea to do it for IP. And there are some problems with
possibilities for DoS attacks I can see already.
What do you mean by 'it' (It could be a good idea to do it for IP) ?

Yes. Sorry for my bad English ;-)

When we're doing it for IP, then there is no need any more to determine
between UDP and TCP or other protocols. It's like an autoconfig IPSec then.
Again, I don't understand what do you mean by 'it' - please excuse me,
I am a slow learner, but after a while, I figure things out.

If you're implementing this for IP and not for UDP or TCP, then it's like
an autoconfig IPSec.

Forgive my question, but How can you implement this idea for IP ?
When working with the sockets api I mentioned earlier, you use api
for stream socket (TCP) or datagram sockets (UDP), maybe I don't have
enough experience with network programming (probably), so please
explain this a little more

Thanks :-)

Bobby

Yours,
VB.
.

Relevant Pages

  • Re: Question regarding security programming newsgroups
    ... OK, so both sides will be able to initiate a key exchnage, ... A initiates to B and B to A. ... A will get B's packet and since it is already in a key exchnage with B ... connection to B. With B->A I mean, that A has keys with B, because ...
    (comp.security.misc)
  • Re: Question regarding security programming newsgroups
    ... A initiates to B and B to A. ... A will get B's packet and since it is already in a key exchnage with B ... connection to B. With B->A I mean, that A has keys with B, because ...
    (comp.security.misc)
  • Re: ActiveSync
    ... > initiates a connection to the partner computer. ... >connection is initiated through the ActiveSync UI on device, ... >> Of course I can ask user to initiate synchronization, ...
    (microsoft.public.pocketpc.developer)
  • IPSEC
    ... initiates the connection to the PIX, but the PIX can't initiate the ... rules with the packet filters not mirrored. ...
    (microsoft.public.win2000.networking)
  • Re: ISA 2004, remote desktop issue to internal clients
    ... If the connection is initiated and there is no response, ... Domain Users and Domain Admins cannot open a RD session with a XP Pro SP2 ... Remote Desktop is enabled on my XP Pro client ... initiates a connection for RDP 3389 with the IP address of the XP Pro ...
    (microsoft.public.isa)