RE: Security of HTTPS

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
> > In SSL/TLS, the client certificate request is optional, and 
> its typical
> > use, HTTPS, does not require client certificates, so there 
> is no client
> > public/private key here that can be used to "transfer encrypted key
> > material". 
>
> Right. But even if client certificates are used, these are 
> only used for
> authentication (signature check) and not for encryption during
> master-key negotiation.

If you're using client certs then you should be using one of the
Diffie-Hellman cipher suites, shouldn't you? DH is not vulnerable to this
type of passive interception attack, and couldn't be attacked in this
way[1]. Certificate protected DH is still vulnerable to an active MitM if
someone has a copy of the server's private key.

However, the huge bulk of connections use the RSA cipher specs which _are_
vulneranble to the attack you describe. Looking at it in this light, I am
trying to work out why the implementors chose this construction (sending the
PMS simply encrypted with the server cert) instead of "one side signed"
Diffie Hellman, like IPSec-IKE, which would have obviated the passive
sniffing attack. Does anyone know?

Cheers,

ben

[1] eg, http://www.hack.gr/users/dij/crypto/overview/diffie.html

 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards