Bugtraq mailing list archives
Re: "The End of SSL and SSH?"
From: Eric Rescorla <ekr () SPEEDY RTFM COM>
Date: Wed, 20 Dec 2000 23:38:35 -0800
Ajax <ajax () FIREST0RM ORG> writes:
On Wed, 20 Dec 2000, Crispin Cowan wrote:Kurt Seifried wrote: SSL, SSH, and PGP each took a different approach to addressing, if not solving, the initial key placement problem, and each has its own strengths & weaknesses:Allow me to refer everyone to the SRP protocol (http://srp.stanford.edu/), which accomplishes a cryptographically strong password exchange and uses it to establish a session key. This works by assuming you already have a password stored on the remote host (you do, in /etc/shadow), and therefore pushes the initial key placement problem up to account creation time, which we assume is a secure event, right?
This is fine for replacing SSH, but it's not very useful for the most common application of SSL--credit card submission. It's only useful when the two parties have some prior arrangement. Incidentally, SRP is only the latest in a long line of what are known as "strong password protocols". The original one of which is Bellovin and Merritt's EKE. For more than you ever wanted to know about this topic check out: http://www.integritysciences.com/ -Ekr
Current thread:
- sshmitm, webmitm Dug Song (Dec 18)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: sshmitm, webmitm Boris Lorenz (Dec 21)
- "The End of SSL and SSH?" Perry E. Metzger (Dec 20)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 19)
- Re: "The End of SSL and SSH?" Stefan Monnier (Dec 20)
- Re: "The End of SSL and SSH?" Brett Glass (Dec 20)
- Re: "The End of SSL and SSH?" Crispin Cowan (Dec 20)
- Re: "The End of SSL and SSH?" Ajax (Dec 20)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Kurt Seifried (Dec 19)
- Re: "The End of SSL and SSH?" Damien Miller (Dec 21)
- Re: "The End of SSL and SSH?" Ryan Russell (Dec 21)
- Re: sshmitm, webmitm Samuele Giovanni Tonon (Dec 20)
- Re: "The End of SSL and SSH?" Michael H. Warfield (Dec 20)
- Re: "The End of SSL and SSH?" Perry E. Metzger (Dec 21)
- Re: "The End of SSL and SSH?" Eric Rescorla (Dec 21)
- Re: "The End of SSL and SSH?" Samuele Giovanni Tonon (Dec 21)
- Re: "The End of SSL and SSH?" - mongo followup Kurt Seifried (Dec 24)