[16483] in cryptography@c2.net mail archive
Re: SSL/TLS passive sniffing
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Dec 1 01:52:28 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: iang@systemics.com
Cc: "Ben Nagy" <bnagy@eeye.com>, cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 30 Nov 2004 22:00:32 -0800
In-Reply-To: <3441.82.70.142.134.1101836292.squirrel@82.70.142.134> (Ian
Grigg's message of "Tue, 30 Nov 2004 12:38:12 -0500 (EST)")
"Ian Grigg" <iang@systemics.com> writes:
> Ben raises an interesting thought:
>
>> There was some question about whether this is possible for connections that
>> use client-certs, since it looks to me from the spec that those connections
>> should be using one of the Diffie Hellman cipher suites, which is obviously
>> not vulnerable to a passive sniffing 'attack'. Active 'attacks' will
>> obviously still work. Bear in mind that we're talking about deliberate
>> undermining of the SSL connection by organisations, usually against their
>> website users (without talking about the goodness, badness or legality of
>> that), so "how do they get the private keys" isn't relevant.
>
> We have the dichotomy that DH protects against all passive
> attacks, and a signed cert protects against most active attacks,
> and most passive attacks, but not passive attacks where the
> key is leaked, and not active attacks where the key is
> "forged" (as a cert).
>
> But we do not use both DH and certificates at the same time,
> we generally pick one or the other.
>
> Could we however do both?
>
> In the act of a public key protected key exchange, Alice
> generally creates a random key and encrypts that to Bob's
> public key. That random then gets used for further traffic.
>
> However could one do a Diffie Hellman key exchange and do this
> under the protection of the public key? In which case we are
> now protected from Bob aggressively leaking the public key.
> (Or, to put it more precisely, Bob would now have to record
> and leak all his traffic as well, which is a substantially
> more expensive thing to engage in.)
Uh, you've just described the ephemeral DH mode that IPsec
always uses and SSL provides.
Try googling for "station to station protocol"
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
