Jim i wasn't talking about the auth part that is solved i was thinking
about the encrypted data channel
On Mon, Oct 13, 2014 at 5:23 PM, Jim Starkey <j...@jimstarkey.net> wrote:
> Why on earth would someone authenticate with SRP then drop in TLS?
>
> TLS/SSL was designed to authenticate a server to an anonymous client,
> which it does very well. But if the client has an account/password pair,
> TLS/SSL is unnecessary, is unreasonably expensive in round trips, and is
> unnecessarily insecure.
>
> The essential problem with TLS is that it uses a public key crypto system,
> aka PKIS aka certificates, to exchange session keys. If the server's
> certificate's private key is exposed by accident, leak, hack, or
> governmental authority, anyone with that key can decrypt all past and
> future sessions that use that certificate. In the United States, a company
> is legally obliged to surrender keys on secret demand from the FBI. Once
> the company has complied, all sessions on that key are blown -- and the
> company is forbidden to warn other customers.
>
> SRP performs mutual authentication between client and server in a single
> round trip which can piggy back on the initial connection protocol packet.
> In the process, it generates a completely secure key that can be used as a
> session key to encrypt the next packet to the server. If the server
> validates the first encrypted message, the handshake is done. And, even
> better, the session key exists only in memory on the client and server, so
> there is never anything to fork over to a snooping government.
>
> SRP/RC4 is robust, efficient, secure, and provides perfect forward
> security. TLS is none of these.
>
>
>
>
> On 10/13/2014 5:22 AM, marius adrian popa wrote:
>
> My guess is that after srp auth we can create a secure tls channel
>
> usually is solved by creating and opening another port like 4443 or
> with protocol modifications using the firebird port
>
>
> http://superuser.com/questions/567594/how-to-set-up-a-server-to-use-tls-srp-authentication
>
>
> http://matthewarcus.wordpress.com/2014/05/10/srp-in-openssl/
>
>
> ps: we can start using openssl even if only need to mention it
>
>
> http://stackoverflow.com/questions/6720610/when-and-where-to-mention-usage-of-openssl
> http://en.wikipedia.org/wiki/OpenSSL#Licensing
>
> pps: or i would use the boringssl from cromium/android
> https://www.imperialviolet.org/2014/06/20/boringssl.html
>
> http://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog
> Analyzerhttp://p.sf.net/sfu/Zoho
>
>
>
> Firebird-Devel mailing list, web interface at
> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://p.sf.net/sfu/Zoho
> Firebird-Devel mailing list, web interface at
> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
