[18261] in bugtraq
Re: "The End of SSL and SSH?"
daemon@ATHENA.MIT.EDU (Ajax)
Thu Dec 21 01:03:51 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.10012201927210.8437-100000@firest0rm.org>
Date: Wed, 20 Dec 2000 19:38:35 -0600
Reply-To: Ajax <ajax@FIREST0RM.ORG>
From: Ajax <ajax@FIREST0RM.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A40EBEE.11B10D11@wirex.com>
On Wed, 20 Dec 2000, Crispin Cowan wrote:
> Kurt Seifried wrote:
>
> SSL, SSH, and PGP each took a different approach to addressing, if not
> solving, the initial key placement problem, and each has its own
> strengths & weaknesses:
Allow me to refer everyone to the SRP protocol (http://srp.stanford.edu/),
which accomplishes a cryptographically strong password exchange and uses
it to establish a session key. This works by assuming you already have a
password stored on the remote host (you do, in /etc/shadow), and therefore
pushes the initial key placement problem up to account creation time,
which we assume is a secure event, right?
The only problem with SRP is that it doesn't allow you to verify the
trustedness of the client (well, you can, but it requires you to, for
example, add an IP address to the username string and store a unique hash
for each IP she might be coming from).
But, as has been said, key placement is a hard problem.
-=:[ ajax
