Hi,
Thomas Reinke wrote:
>
> What you're basically saying is that if someone can sniff packets, and
> brute force their way into decrypting the information, is their
> data safe, and is this a possible scenario.
The point in this application is, that the sniffing person
also has to be able to stop the traffic as soon as it comes
to be real data-traffic (after handshake). I think that this is one step
further, isn't it ? (Because in this case, the information
on the server can only be fetched once, and if the real client
has made it, then the intruder will be too late).
>
> No, their data won't be safe. Yes, this is possible. There are
> plenty of studies that have shown how much computing power it
> will take to break a particular cipher. That's why some
> organizations adopt ciphers such as 128 bit (if you can get
> a server supporting them) that can't be broken by brute
> force.
>
> Thomas
>
> Stephan Bauer wrote:
> >
> > Hi,
> >
> > I would enjoy hearing some opinions on the following
> > potential scenario :
> >
> > The SSL-Client does no client-auth. and has to transmit
> > one string, that contains security-sensitive data.
> > Let's think of a man-in-the-middle you leaves through
> > the handshake-packets, but blocks the data-packets.
> > He then performs a brute-force-attack on the sent data,
> > and opens a completely new SSL-Connection with the server,
> > transmitting the data, that the server expects to receive
> > from the one real client.
> >
> > I know, with client-auth. you could avoid this, but some
> > customers of our solution might not be able to configure
> > their server for client-auth. So how realistic do
> > you think this to be ?
Sorry if I was too unclear in the first mail.
Stephan
--------------------------
Tel : +49 89 92699114
Fax : +49 89 92699226
mail: [EMAIL PROTECTED]
www : http://www.ecrc.de
Cable & Wireless ECRC GmbH
--------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
