Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The End of SSL and SSH?"

From: Ajax <ajax () FIREST0RM ORG>
Date: Wed, 20 Dec 2000 19:38:35 -0600
On Wed, 20 Dec 2000, Crispin Cowan wrote:


Kurt Seifried wrote:

SSL, SSH, and PGP each took a different approach to addressing, if not
solving, the initial key placement problem, and each has its own
strengths & weaknesses:


Allow me to refer everyone to the SRP protocol (http://srp.stanford.edu/),
which accomplishes a cryptographically strong password exchange and uses
it to establish a session key.  This works by assuming you already have a
password stored on the remote host (you do, in /etc/shadow), and therefore
pushes the initial key placement problem up to account creation time,
which we assume is a secure event, right?

The only problem with SRP is that it doesn't allow you to verify the
trustedness of the client (well, you can, but it requires you to, for
example, add an IP address to the username string and store a unique hash
for each IP she might be coming from).

But, as has been said, key placement is a hard problem.

-=:[ ajax
Previous By Date Next
Previous By Thread Next

Current thread: