Menu
▾
▴
Re: [Firebird-devel] next steps tls + srp and the boring ssl
|
From: marius a. p. <ma...@gm...> - 2014-10-16 11:40:35
|
Jim i wasn't talking about the auth part that is solved i was thinking about the encrypted data channel On Mon, Oct 13, 2014 at 5:23 PM, Jim Starkey <ji...@ji...> wrote: > Why on earth would someone authenticate with SRP then drop in TLS? > > TLS/SSL was designed to authenticate a server to an anonymous client, > which it does very well. But if the client has an account/password pair, > TLS/SSL is unnecessary, is unreasonably expensive in round trips, and is > unnecessarily insecure. > > The essential problem with TLS is that it uses a public key crypto system, > aka PKIS aka certificates, to exchange session keys. If the server's > certificate's private key is exposed by accident, leak, hack, or > governmental authority, anyone with that key can decrypt all past and > future sessions that use that certificate. In the United States, a company > is legally obliged to surrender keys on secret demand from the FBI. Once > the company has complied, all sessions on that key are blown -- and the > company is forbidden to warn other customers. > > SRP performs mutual authentication between client and server in a single > round trip which can piggy back on the initial connection protocol packet. > In the process, it generates a completely secure key that can be used as a > session key to encrypt the next packet to the server. If the server > validates the first encrypted message, the handshake is done. And, even > better, the session key exists only in memory on the client and server, so > there is never anything to fork over to a snooping government. > > SRP/RC4 is robust, efficient, secure, and provides perfect forward > security. TLS is none of these. > > > > > On 10/13/2014 5:22 AM, marius adrian popa wrote: > > My guess is that after srp auth we can create a secure tls channel > > usually is solved by creating and opening another port like 4443 or > with protocol modifications using the firebird port > > > http://superuser.com/questions/567594/how-to-set-up-a-server-to-use-tls-srp-authentication > > > http://matthewarcus.wordpress.com/2014/05/10/srp-in-openssl/ > > > ps: we can start using openssl even if only need to mention it > > > http://stackoverflow.com/questions/6720610/when-and-where-to-mention-usage-of-openssl > http://en.wikipedia.org/wiki/OpenSSL#Licensing > > pps: or i would use the boringssl from cromium/android > https://www.imperialviolet.org/2014/06/20/boringssl.html > > http://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/ > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzerhttp://p.sf.net/sfu/Zoho > > > > Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel > > > > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://p.sf.net/sfu/Zoho > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel > > |
