Menu
▾
▴
Re: [Firebird-devel] next steps tls + srp and the boring ssl
|
From: James S. <ji...@ji...> - 2014-10-16 12:42:01
|
What does TLS bring to the table if the authentication mechanism generates a secure session key? Crypto libraries are a dime a dozen. On Thursday, October 16, 2014, marius adrian popa <ma...@gm...> wrote: > Jim i wasn't talking about the auth part that is solved i was thinking > about the encrypted data channel > > On Mon, Oct 13, 2014 at 5:23 PM, Jim Starkey <ji...@ji... > <javascript:_e(%7B%7D,'cvml','ji...@ji...');>> wrote: > >> Why on earth would someone authenticate with SRP then drop in TLS? >> >> TLS/SSL was designed to authenticate a server to an anonymous client, >> which it does very well. But if the client has an account/password pair, >> TLS/SSL is unnecessary, is unreasonably expensive in round trips, and is >> unnecessarily insecure. >> >> The essential problem with TLS is that it uses a public key crypto >> system, aka PKIS aka certificates, to exchange session keys. If the >> server's certificate's private key is exposed by accident, leak, hack, or >> governmental authority, anyone with that key can decrypt all past and >> future sessions that use that certificate. In the United States, a company >> is legally obliged to surrender keys on secret demand from the FBI. Once >> the company has complied, all sessions on that key are blown -- and the >> company is forbidden to warn other customers. >> >> SRP performs mutual authentication between client and server in a single >> round trip which can piggy back on the initial connection protocol packet. >> In the process, it generates a completely secure key that can be used as a >> session key to encrypt the next packet to the server. If the server >> validates the first encrypted message, the handshake is done. And, even >> better, the session key exists only in memory on the client and server, so >> there is never anything to fork over to a snooping government. >> >> SRP/RC4 is robust, efficient, secure, and provides perfect forward >> security. TLS is none of these. >> >> >> >> >> On 10/13/2014 5:22 AM, marius adrian popa wrote: >> >> My guess is that after srp auth we can create a secure tls channel >> >> usually is solved by creating and opening another port like 4443 or >> with protocol modifications using the firebird port >> >> >> http://superuser.com/questions/567594/how-to-set-up-a-server-to-use-tls-srp-authentication >> >> >> http://matthewarcus.wordpress.com/2014/05/10/srp-in-openssl/ >> >> >> ps: we can start using openssl even if only need to mention it >> >> >> http://stackoverflow.com/questions/6720610/when-and-where-to-mention-usage-of-openssl >> http://en.wikipedia.org/wiki/OpenSSL#Licensing >> >> pps: or i would use the boringssl from cromium/android >> https://www.imperialviolet.org/2014/06/20/boringssl.html >> >> http://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/ >> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzerhttp://p.sf.net/sfu/Zoho >> >> >> >> Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel >> >> >> >> >> ------------------------------------------------------------------------------ >> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >> http://p.sf.net/sfu/Zoho >> Firebird-Devel mailing list, web interface at >> https://lists.sourceforge.net/lists/listinfo/firebird-devel >> >> > -- Jim Starkey |
