Basically, there's the issue of encrypted pw initiating a plain-text comm or the whole comm encrypted. SSH does RSA pw exchange and IDEA encyrpting. Check out http://www.cs.hut.fi/ssh/RFC cu -pete > -----Urspr�ngliche Nachricht----- > Von: Ben Nagy [SMTP:[EMAIL PROTECTED]] > Gesendet am: Freitag, 14. Mai 1999 10:36 > An: [EMAIL PROTECTED] > Betreff: RE: Securing analog phone lines (!) > > I know this is only hazily part of the focus of the list, but the comment > about intercepting SSH communications over an insecure wire interested me. > I > guess we have a fair few posts that touch on deliver secure services > through > firewalls, so maybe it's relevant. > > Cryptography is not one of my strong areas, but I thought SSH was designed > to avoid hijacking and man-in-the-middle attacks? I don't know exactly how > it works, but something like pre-shared RSA keys or certificates could be > used to authenticate hosts in a manner that a hacker sitting on the wire > wouldn't be able to impersonate because the secret segment is never > transmitted...right? Even Diffie-Helman or something should be proof > against > a middleman... > > Is there a cryptographer in the house? 8) > > -- > Ben Nagy > Network Consultant, CPM&S Group of Companies > Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520 > > > Well, and this may go beyond the scope of this list, but ... > Securing > analog lines (or any line for that matter) is hard becuase the telco > in most places isnt secure.. It would be really easy for a person > to > access the junction box (anywhere between you and the Central Office > of the telco) cut the phone wire, add in a line simulator (so that > your side gets dialtone, line voltage etc), add a computer with a > couple modems, one going to you, via the line simulator, one going > to the telco, and effectivly sniff the traffic.. The software to > control this would be fairly easy, and could most likely be written > by anyone that took a first year programming class (even a HS > class).. > > Anyway, the only real way to prevent something like this is to have > encryption on this link, and then you couldnt do something like the > way SSH works becuase the person could intercept the key exchange, > and exchange their key with you, and their key with the system you > were tryiung to connect to, thus giving them cleartext.. > > But this type of attack is rare, and typically only done by people > that you wouldnt detect anyway, or by people who are going after > very > specific information, and not just random stuff (which appears to be > a lot more common, the random stuff that is).. > > Anyway, I am rambling again so ... :) > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
