Re: authentication (SRP*, DH, TLS)
- From: "xmath" <xmath.news@xxxxxxxxx>
- Date: 15 Apr 2006 02:56:21 -0700
Joseph Ashwood wrote:
Unfortunately, it is necessary to encrypt the channel, otherwise you have
only renamed the Man in the Middle to Hijacker in the Middle as now he
simply sits in the middle until after authentication, then hijacks the
connection.
Encryption neither sufficient nor necessary here though. What is
necessary is to simply authenticate all communication. Encryption
hides information, authentication makes sure you know who you're
talking to and that the communication is intact.
The simplest way to authenticate a strema of messages via TCP is by
sending message M[i] as the authenticated message length(M[i]) || M[i]
|| H[i] where H[i] = MAC(K, H[i-1] || M[i]).
Here take H[0] as a fixed constant -- a different one for the
client->server direction than for the server->client direction. MAC
can be HMAC-SHA1, Poly1305-AES, or any other decent MAC. The explicit
message length can be omitted if the message space is already
prefix-free.
Sending a nonce in a message and getting it back in a reply message
will also ensure liveliness (replay protection). As to establishing
the key K, see my previous post.
- xmath
.
- Follow-Ups:
- Re: authentication (SRP*, DH, TLS)
- From: xmath
- Re: authentication (SRP*, DH, TLS)
- References:
- authentication (SRP*, DH, TLS)
- From: gmu2006
- Re: authentication (SRP*, DH, TLS)
- From: Joseph Ashwood
- authentication (SRP*, DH, TLS)
- Prev by Date: AES Timing Attack Implementation & Karl Malbrain code...
- Next by Date: Re: RSA Security Hiring Announcement
- Previous by thread: Re: authentication (SRP*, DH, TLS)
- Next by thread: Re: authentication (SRP*, DH, TLS)
- Index(es):
Relevant Pages
|
