Home page logo
/

basics logo Security Basics mailing list archives

Re: passing sensitive information over wire;options are not enough?
From: noloader () gmail com
Date: Mon, 28 Mar 2011 14:58:04 -0600

For an overview of some of the methods, see http://en.wikipedia.org/wiki/Password-authenticated_key_agreement.

In the past, I have used Thomas Wu's SRP. The protocol was standardized in RFC 2495, The SRP Authentication and Key 
Exchange System and RFC 5054, Using the Secure Remote Password (SRP) Protocol for TLS Authentication.

I used SRP because it uses exponentiation - instead of g^(ab), g^(password) is used (some hand waiving). The server 
stores a hash of the password and a salt. The server provides the salt to a client. When the user tries to log in, 
he/she combines the salt, password, and session data to arrive at the secret. An adversary guessing passwords will 
arrive at a incorrect shared secret.

I've implemented SRP with both OpenSSL and Crypto++. Crypto++ was easiest since C++ allows operator overloading. Thomas 
Wu provided a patch to OpenSSL, but the foundation has not incorporated the patch (you'll find it at HEAD - 
http://rt.openssl.org/Ticket/Display.html?id=1794&user=guest&pass=guest). When I rolled SRP for OpenSSL, I simply coded 
it from the ground up.

I am also aware of a GnuTLS implementation. Be careful of GnuTLS - it could not pass an internal security audit (your 
mileage will probably vary).

Jeff

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]