---Reply to mail from [EMAIL PROTECTED] about Securing analog phone lines (!)
> Basically, there's the issue of encrypted pw initiating a plain-text comm or
> the whole comm encrypted.
> SSH does RSA pw exchange and IDEA encyrpting. Check out
> http://www.cs.hut.fi/ssh/RFC
>
Yes, but my comment was that if you are 'man in the middle' then you could
force the person connecting via SSH to connect to you (by intercepting and
replying to the packets) and you make a connection to the server that
they were connecting to.. Becuase you share your key with both people,
you know what the clear text is, you can sniff/whatever..
Of course this requires physical access, some hardware (and the risk of
losing it if it isnt locked up well, or is found), etc so a lot of people
wont do this specific version (simmilar attacks may apply though) of the
attack, but its still a possibility.. It *can* be done, which is why you
need to really authenticate the person you are sharing your key with..
The problem with RSA key exchanging (or DH for that matter) is that there
isnt a good way to prove that the person you are talking to really is the
person you want to talk to.. You would have to use a Certificate Signing
Authority (and then hope that stuff isnt spoofed anyway, which it still
cant be but ...) or shared secret data that doesnt get passed.. Of course
that doesnt work well for communications that are for generic use..
But hey..
:)
> cu
> -pete
>
>
>> -----Urspr�ngliche Nachricht-----
>> Von: Ben Nagy [SMTP:[EMAIL PROTECTED]]
>> Gesendet am: Freitag, 14. Mai 1999 10:36
>> An: [EMAIL PROTECTED]
>> Betreff: RE: Securing analog phone lines (!)
>>
>> I know this is only hazily part of the focus of the list, but the comment
>> about intercepting SSH communications over an insecure wire interested me.
>> I
>> guess we have a fair few posts that touch on deliver secure services
>> through
>> firewalls, so maybe it's relevant.
>>
>> Cryptography is not one of my strong areas, but I thought SSH was designed
>> to avoid hijacking and man-in-the-middle attacks? I don't know exactly how
>> it works, but something like pre-shared RSA keys or certificates could be
>> used to authenticate hosts in a manner that a hacker sitting on the wire
>> wouldn't be able to impersonate because the secret segment is never
>> transmitted...right? Even Diffie-Helman or something should be proof
>> against
>> a middleman...
>>
>> Is there a cryptographer in the house? 8)
>>
>> --
>> Ben Nagy
>> Network Consultant, CPM&S Group of Companies
>> Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
>>
>>
>> Well, and this may go beyond the scope of this list, but ...
>> Securing
>> analog lines (or any line for that matter) is hard becuase the telco
>> in most places isnt secure.. It would be really easy for a person
>> to
>> access the junction box (anywhere between you and the Central Office
>> of the telco) cut the phone wire, add in a line simulator (so that
>> your side gets dialtone, line voltage etc), add a computer with a
>> couple modems, one going to you, via the line simulator, one going
>> to the telco, and effectivly sniff the traffic.. The software to
>> control this would be fairly easy, and could most likely be written
>> by anyone that took a first year programming class (even a HS
>> class)..
>>
>> Anyway, the only real way to prevent something like this is to have
>> encryption on this link, and then you couldnt do something like the
>> way SSH works becuase the person could intercept the key exchange,
>> and exchange their key with you, and their key with the system you
>> were tryiung to connect to, thus giving them cleartext..
>>
>> But this type of attack is rare, and typically only done by people
>> that you wouldnt detect anyway, or by people who are going after
>> very
>> specific information, and not just random stuff (which appears to be
>> a lot more common, the random stuff that is)..
>>
>> Anyway, I am rambling again so ... :)
>>
--
Bret McDanel http://www.rehost.com
Realistic Technologies, Inc. 973-514-1144
These opinions are mine, and may not be the same as my employer
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
