[7978] in cryptography@c2.net mail archive
Re: Malign SSL server attacks
daemon@ATHENA.MIT.EDU (Eric Murray)
Thu Oct 19 00:44:47 2000
Date: Wed, 18 Oct 2000 15:38:45 -0700
From: Eric Murray <ericm@lne.com>
To: rsalz@CaveoSystems.com
Cc: cryptography@c2.net
Message-ID: <20001018153845.F3012@slack.lne.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200010171602.MAA13355@os390.caveosystems.com>; from rsalz@CaveoSystems.com on Tue, Oct 17, 2000 at 12:02:35PM -0400
On Tue, Oct 17, 2000 at 12:02:35PM -0400, rsalz@CaveoSystems.com wrote:
> I am not familiar enough with the protocol to answer this question:
> is it possible for an evil SSL server to send packets such that it
> ends up with an arbitrary signature from a client? I'm trying to
> emphasize the importange of keyUsage bits. :)
The only time the client signs something is when the
server requests client auth. In TLS, the client signs MD5 and/or SHA1
hashes of the TLS handshake messages that have passed between
the client and server at that point in the protocol.
In SSLv3, it signs an MD5 and/or SHA1 HMAC-like (nested hash with pads)
of the same handshake messages.
So it looks like the anwer is no.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Consulting Security Architect
