From: <pa...@co...> - 2000-02-28 19:06:39
|
> > HOW IT WORKS > > ============ > > > > It's basically a port of the netrek scheme, but much re-written to > > deal with UDP packet loss. > > > > At the low level, the server sends the client an authreq packet with > > a random number in it. The client encodes this with its public > > key. > > The client encodes it with the server's public key, right? That would be > effectively authenticating the server to the client (making sure that > ONLY this server can host this session). No. The client encodes it with it's own _private_ key, and then it's decoded at the other end with the client's _public_ key. RSA is symmetric WRT signing/authentication. > > > If the client fails to reply within 10 seconds, it is sent another > > packet, and again until 40 seconds elapse with no authnetication. > > A new authentication reqest is sent every 10 seconds. Each request > > causes the seesion key to be changed > > The client better be sending it's IP and perhaps a timestamp in the > packet encrypted with the session key, otherwise some third party can > sniff the packets and just retransmit them and hijack the connection. I > would suggest that the session key obtained in the first interchange be > used for some sort of symmetric encryption on authentication > packets...doing PKI encryption on auth packets would take forever. Use > something like DES for the intermittent auth packets. > > This last point below should deal with that. > > Actually encrypt the seesion (will remove man-in-the-middle attack). > > Patrick. |