On 12/20/11 13:54, Adriano dos Santos Fernandes wrote: > On 20/12/2011 06:57, Alex Peshkoff wrote: >> connect: client's public key, login and database name => server >> accept: server's public key and salt => client >> attach: client's proof => server >> response: success if client's proof == server's proof >> >> > What I would like to know is that if there is a way to configure the > client to know if the server is a trusted one, cause if you only use > generated keys you don't prevent man in the middle attacks.
The power [ sorry for too beautiful words :) ] of SRP is that it DOES prevent man in the middle attack even with generated keys. This works cause in fact a kind of small key - password's hash - is placed on the server in advance. And that hash is used as a part of server's public key, returned to client. Correct session secret (and based on it proof) can be built from that public key only knowing login, salt (this 2 are not a problem certainly) and password, which is supposed to be unknown to attacker. If you want more details - http://srp.stanford.edu/ ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
