> -----Original Message-----
> On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:
> > In SSL/TLS, the client certificate request is optional, and
> its typical
> > use, HTTPS, does not require client certificates, so there
> is no client
> > public/private key here that can be used to "transfer encrypted key
> > material".
>
> Right. But even if client certificates are used, these are
> only used for
> authentication (signature check) and not for encryption during
> master-key negotiation.
If you're using client certs then you should be using one of the
Diffie-Hellman cipher suites, shouldn't you? DH is not vulnerable to this
type of passive interception attack, and couldn't be attacked in this
way[1]. Certificate protected DH is still vulnerable to an active MitM if
someone has a copy of the server's private key.
However, the huge bulk of connections use the RSA cipher specs which _are_
vulneranble to the attack you describe. Looking at it in this light, I am
trying to work out why the implementors chose this construction (sending the
PMS simply encrypted with the server cert) instead of "one side signed"
Diffie Hellman, like IPSec-IKE, which would have obviated the passive
sniffing attack. Does anyone know?
Cheers,
ben
[1] eg, http://www.hack.gr/users/dij/crypto/overview/diffie.html
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Dec 03 2004
Intro
