[3132] in WWW Security List Archive
PCT and SSL
daemon@ATHENA.MIT.EDU (Jorge Figueiredo)
Wed Oct 2 15:03:22 1996
Date: Wed, 02 Oct 1996 17:23:24 +0000
From: Jorge Figueiredo <jf@porto.ucp.pt>
Reply-To: jf@porto.ucp.pt
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Hello,
I read on the PCT 2.0 Draft (Private Communications Technology) that
PCT 1.0 Draft had a description of the differences between PCT and SSL,
so I looked for it and I found the following :
> The PCT protocol differs from SSL chiefly in the design of its
> handshake phase, which differs from SSL's in a number of respects:
>
> - The round and message structures are considerably shorter and
> simpler: a reconnected session without client authentication
> requires only one message in each direction, and no other type of
> connection requires more than two messages in each direction.
>
> - Negotiation for the choice of cryptographic algorithms and formats
> to use in a session has been extended to cover more protocol
> characteristics and to allow different characteristics to be
> negotiated independently. The PCT client and server negotiate, in
> addition to a cipher type and server certificate type, a hash
> function type and a key exchange type. If client authentication is
> requested, a client certificate type and signature type are also
> negotiated.
>
> - Message authentication has been revamped so that it now uses
> different keys from the encryption keys. Thus, message
> authentication keys may be much longer (and message authentication
> therefore much more secure) than the encryption keys, which may be
> weak or even non-existent.
>
> - A security hole in SSL's client authentication has been repaired;
> the PCT client's authentication challenge response now depends on
> the type of cipher negotiated for the session. SSL's client
> authentication is independent of the cipher strength used in the
> session and also of whether the authentication is being performed
> for a restarted session or a new one. As a result, a
> "man-in-the-middle" attacker who has obtained the session key for
> a session using weak cryptography, can use this broken session to
> authenticate as the client in a session using strong cryptography.
> If, for example, the server normally restricts certain sensitive
> functions to high-security sessions, then this security hole allows
> intruders to circumvent the restriction.
>
> - A "verify-prelude" field has been added to the handshake phase,
> with which the client and server can check that the cipher type
> (and other) negotiations carried out in the clear have not been
> tampered with. (SSL version 3 uses a similar mechanism, but its
> complete version 2 compatibility negates its security function,
> by allowing adversaries simply to alter version numbers as well
> as cipher types.)
Are these weaknesses about SSL true for the version 3?
Can you tell me any source were I can find a comparision between PCT and
SSL?
