Menu
▾
▴
Re: [Firebird-devel] next steps tls + srp and the boring ssl
|
From: Jim S. <ji...@ji...> - 2014-10-13 14:23:46
|
Why on earth would someone authenticate with SRP then drop in TLS? TLS/SSL was designed to authenticate a server to an anonymous client, which it does very well. But if the client has an account/password pair, TLS/SSL is unnecessary, is unreasonably expensive in round trips, and is unnecessarily insecure. The essential problem with TLS is that it uses a public key crypto system, aka PKIS aka certificates, to exchange session keys. If the server's certificate's private key is exposed by accident, leak, hack, or governmental authority, anyone with that key can decrypt all past and future sessions that use that certificate. In the United States, a company is legally obliged to surrender keys on secret demand from the FBI. Once the company has complied, all sessions on that key are blown -- and the company is forbidden to warn other customers. SRP performs mutual authentication between client and server in a single round trip which can piggy back on the initial connection protocol packet. In the process, it generates a completely secure key that can be used as a session key to encrypt the next packet to the server. If the server validates the first encrypted message, the handshake is done. And, even better, the session key exists only in memory on the client and server, so there is never anything to fork over to a snooping government. SRP/RC4 is robust, efficient, secure, and provides perfect forward security. TLS is none of these. On 10/13/2014 5:22 AM, marius adrian popa wrote: > My guess is that after srp auth we can create a secure tls channel > > usually is solved by creating and opening another port like 4443 or > with protocol modifications using the firebird port > > http://superuser.com/questions/567594/how-to-set-up-a-server-to-use-tls-srp-authentication > > > http://matthewarcus.wordpress.com/2014/05/10/srp-in-openssl/ > > > ps: we can start using openssl even if only need to mention it > > http://stackoverflow.com/questions/6720610/when-and-where-to-mention-usage-of-openssl > http://en.wikipedia.org/wiki/OpenSSL#Licensing > > pps: or i would use the boringssl from cromium/android > https://www.imperialviolet.org/2014/06/20/boringssl.html > http://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/ > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://p.sf.net/sfu/Zoho > > > Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel |
