What does TLS bring to the table if the authentication mechanism generates
a secure session key? Crypto libraries are a dime a dozen.
On Thursday, October 16, 2014, marius adrian popa <map...@gmail.com> wrote:
> Jim i wasn't talking about the auth part that is solved i was thinking
> about the encrypted data channel
>
> On Mon, Oct 13, 2014 at 5:23 PM, Jim Starkey <j...@jimstarkey.net
> <javascript:_e(%7B%7D,'cvml','j...@jimstarkey.net');>> wrote:
>
>> Why on earth would someone authenticate with SRP then drop in TLS?
>>
>> TLS/SSL was designed to authenticate a server to an anonymous client,
>> which it does very well. But if the client has an account/password pair,
>> TLS/SSL is unnecessary, is unreasonably expensive in round trips, and is
>> unnecessarily insecure.
>>
>> The essential problem with TLS is that it uses a public key crypto
>> system, aka PKIS aka certificates, to exchange session keys. If the
>> server's certificate's private key is exposed by accident, leak, hack, or
>> governmental authority, anyone with that key can decrypt all past and
>> future sessions that use that certificate. In the United States, a company
>> is legally obliged to surrender keys on secret demand from the FBI. Once
>> the company has complied, all sessions on that key are blown -- and the
>> company is forbidden to warn other customers.
>>
>> SRP performs mutual authentication between client and server in a single
>> round trip which can piggy back on the initial connection protocol packet.
>> In the process, it generates a completely secure key that can be used as a
>> session key to encrypt the next packet to the server. If the server
>> validates the first encrypted message, the handshake is done. And, even
>> better, the session key exists only in memory on the client and server, so
>> there is never anything to fork over to a snooping government.
>>
>> SRP/RC4 is robust, efficient, secure, and provides perfect forward
>> security. TLS is none of these.
>>
>>
>>
>>
>> On 10/13/2014 5:22 AM, marius adrian popa wrote:
>>
>> My guess is that after srp auth we can create a secure tls channel
>>
>> usually is solved by creating and opening another port like 4443 or
>> with protocol modifications using the firebird port
>>
>>
>> http://superuser.com/questions/567594/how-to-set-up-a-server-to-use-tls-srp-authentication
>>
>>
>> http://matthewarcus.wordpress.com/2014/05/10/srp-in-openssl/
>>
>>
>> ps: we can start using openssl even if only need to mention it
>>
>>
>> http://stackoverflow.com/questions/6720610/when-and-where-to-mention-usage-of-openssl
>> http://en.wikipedia.org/wiki/OpenSSL#Licensing
>>
>> pps: or i would use the boringssl from cromium/android
>> https://www.imperialviolet.org/2014/06/20/boringssl.html
>>
>> http://arstechnica.com/security/2014/06/google-unveils-independent-fork-of-openssl-called-boringssl/
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog
>> Analyzerhttp://p.sf.net/sfu/Zoho
>>
>>
>>
>> Firebird-Devel mailing list, web interface at
>> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>> http://p.sf.net/sfu/Zoho
>> Firebird-Devel mailing list, web interface at
>> https://lists.sourceforge.net/lists/listinfo/firebird-devel
>>
>>
>
--
Jim Starkey
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
