Sorry, I guess I overlooked something - if you've got a limited set of servers, then you don't need a trusted third party to verify the identities of 'new servers' that your application wishes to talk to; you can build the certification into the client application instead.
On Aug 17, 5:35 pm, Parch <[EMAIL PROTECTED]> wrote: > If what you want to know is how to prevent man-in-the-middle attacks, > then I think this article might be helpful: > > http://www-128.ibm.com/developerworks/linux/library/l-openssl2.html?c... > > The essential point to remember is you have to be able to prove you > are communicating with a particular person/server (otherwise they > could be anyone). In general this requires there to be someone else > you trust -- which may or may not suit your application. > > On Aug 17, 2:34 am, Oleg <[EMAIL PROTECTED]> wrote: > > > Good day. > > > We have client-server. Each client use password for authentication, > > server has hashes of passwords. After successfull authentication > > client and server transmits some data. > > > We need to encrypt transmitting data. As I understand, reading this > > list, we need to generate session key and encrypt data, using this > > key. I found that DH - one of algorithms for session key generation. > > But it unsecure for the man-in-the-middle attack. Could we somehow use > > password hash to rise the security? > > > I would be very much obliged to you if you will give me some > > directions to google. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [EMAIL PROTECTED] More information about Crypto++ and this group is available at http://www.cryptopp.com. -~----------~----~----~----~------~----~------~--~---
