On 5/17/05, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > Gervase Markham wrote: > > Say I'm a website owner who wants to give my users the assurance that > > (theoretically; let's not go there right now) comes with an SSL > > connection, but don't want or need the overhead of encryption. > > You don't need the overhead, but how about the secrecy? > Surely that is part of the assurance comes from SSL. > Some folks in this group think that is the ONLY value of SSL. > Would you give that up?
There are still a couple of countries where the usage of encryption is outlawed. There is still value in the keyed HMAC, to show that the data has not been tampered with in-transit. (I seem to recall a paper by Rivest where he suggested that in these circumstances, secrecy could be attained by sending a bunch of plaintext data with invalid HMACs, most of it completely bogus, but the real data being able to be determined by the remote side due to the validity of the HMAC.) There are three separate services/assertions offered by SSL: 1) Identification of the parties involved, through the use of certificates and checking their validity. (Public-key cryptography involved.) 2) Secrecy of data transmitted, through the use of shared keys and bulk ciphers (RC4, RC2, Blowfish, Twofish, AES, etc.) 3) Authenticity of data transmitted, through the use of keyed HMACs. (MD5, SHA-1, SHA-256, SHA-512, etc.) The values of each of these are up to the implementor and the user. > > Would it be possible (i.e. what would the side effects be) to enable the > > null cyphers in our SSL implementation, assuming that we made it so that > > using them didn't invoke the lock? > > Try it and see. mozilla 1.7.x provides UI to enable the null ciphers. > With FF, I think you can use about:config to enable > security.ssl3.rsa_null_md5 > security.ssl3.rsa_null_sha Is it possible to enable NULL-NULL-MD5 and NULL-NULL-SHA? Ephemeral DH might be of interest here, to agree on a key for the HMAC. > > Would that have much effect on server computational load, or is the > > encryption and decryption not where most of the cycles go? > > Depends on the ciphersuite and other factors. > > If individuals tend to visit your website only once per day (one page per > visitor per day, one https connection per visitor per day) and your pages > are relatively small, then your dominant cost will likely be the cost of > the RSA operations. You can get RSA accelerators for that (PCI cards for > your box). > > If individuals tend to visit your website numerous times each day, or the > pages are large (e.g. lxr.mozilla.org :), then your dominant cost will be > the combination of bulk encryption and MACing (keyed hashing). If the pages are large, this will be true. If there are numerous accesses by the same client, then it depends on the client's (and server's) willingness to re-use session data. (Note that Apache with mod_ssl has a means of sharing session data between different servers in a cluster, through the use of Sleepycat DB4. This presumes that all machines in the cluster present themselves as the same hostname, that the reverse DNS for all associated IPs points to the same hostname, and that all servers in the cluster use the same private key and certificate. This is not an Apache support forum, though, so details will be left to the reader.) > SSL offers a wealth of different bulk encryption algorithms and several > MAC algorithms. Some of these are more costly than others. The cheapest > bulk encryption algorithm (by far) is RC4. The cheapest MAC algorithm > uses the MD5 hash. SHA1 is consderably slower, about twice as slow as > RC4 encryption. MD5 has been declared 'insecure', and SHA-1 has been declared 'potentially insecure'. The US's FIPS standards are now phasing out SHA-1, and are suggesting that SHA-256 or more computationally-expensive hashing algorithms be used from here on out. > Your SSL server will generally pick the ciphersuite with the strongest > bulk encryption and the strongest MAC from those enabled on both the > client and server. If you want your server to use the fastest alg's > you must disable the stronger ones. Since there's no server implementation out there that I'm aware of which allows unauthenticated SSL, the best bets for this are RSA-NULL-MD5, RSA-NULL-SHA, DH-NULL-MD5, and DH-NULL-SHA. -Kyle _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
