[18269] in bugtraq
Re: "The End of SSL and SSH?"
daemon@ATHENA.MIT.EDU (Ryan Russell)
Thu Dec 21 12:39:55 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.30.0012202028410.24624-100000@mail>
Date: Wed, 20 Dec 2000 20:39:22 -0800
Reply-To: Ryan Russell <ryan@SECURITYFOCUS.COM>
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
X-To: Crispin Cowan <crispin@WIREX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A40EBEE.11B10D11@wirex.com>
First Pedantic!
On Wed, 20 Dec 2000, Crispin Cowan wrote:
> What Kurt is describing is the "initial key placement" problem, and it is endemic to all cryptographic protocols. No matter what you
> do, if you want to authenticate some remote party with a cryptographic secret, you must find some way to deliver the secret to the
> other party securely, or you end up subject to the man-in-the-middle attack. Your crypto system is not a viable option, because by
> definition the keys that make it work are not in place yet. You can think of it as a requirement for a secure "introduction", in the
> Victorian sense.
Secret isn't the right word. In order for a crypto key exchange to not be
vulnerable to a MITM attack, there must be some bit of info that the two
participants share. It's easy to see how it works with a secret. SSL
style certificates are the best (most practical so far) example of a
non-secret bit of info that has been pre-shared (you download it with your
browser binaries.) Everyone knows the Verisign public key.
You could put that bit of the SSL protocol into SSH without much trouble.
I kinda question how safe a private key will be on a box you've got people
SSHing into, though.
How about having an SSH master domain server thingy? The first time you
SSH into the "main" box for a site, all of the SSH server keys for that
site get shot down to your SSH client. Only one opportunity for the MITM
attack that way, as opposed to how ever many servers you've got. That
would even make manual distribution of a chunk of keys more palatable.
Or you could PGP sign the block of them. Or get a CA to sign a block of
them.
Ryan
