Re: [ilugc] Encrypted password captured when listening on network
On Mon, Nov 15, 2010 at 4:01 AM, Ashish Verma ilu...@gmail.com wrote: I want to know if it is possible for someone to gain access to resources if they capture a person's encrypted password. It depends on the protocol. If its a very simple protocol where the initial authentication between the server and the client is only encrypted (the remaining traffic after authentication is sent on the clear) and no freshness (say a session key with an expiry time) is used then whatever you say is possible. But I doubt anybody uses such a protocol. For Eg: Gmail uses https once the authentication process starts. This is basically to ensure that if anyone is listening on the network he gets garbled text. So if a person is able to emulate the session and send the encrypted password with my user-id... will he gain access to my gmail account? Gmail uses full https. The entire traffic is encrypted and is session key based. So if someone does the relay attack (where the adversary stores the encrypted traffic and replays it later on) to authenticate himself, the session key would no longer be the same. So the server (here gmail) will not be able to decrypt your message. If the attacker does this during an active session (i.e. the session keys are still valid), he will be able to send this emulated/stored encrypted traffic and the server will validate it. But since the adversary does not know the session key, he will receive back encrypted garbage which only the client (with the correct session key) can decrypt. So again this is not very useful. And of course by the very nature of encryption (one way functions[1]) it is not possible/very hard to retrieve the key from an encrypted data. In short you are OK *in general*. But then one can do slightly sophisticated attacks. IMO security is always an illusion :) Hope this helps. [1] http://en.wikipedia.org/wiki/One-way_function [2] http://en.wikipedia.org/wiki/Transport_Layer_Security Regards, Aanjhan ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
[ilugc] Encrypted password captured when listening on network
Hi, I want to know if it is possible for someone to gain access to resources if they capture a person's encrypted password. For Eg: Gmail uses https once the authentication process starts. This is basically to ensure that if anyone is listening on the network he gets garbled text. So if a person is able to emulate the session and send the encrypted password with my user-id... will he gain access to my gmail account? Regards, Ashish ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [ilugc] Encrypted password captured when listening on network
On Mon, Nov 15, 2010 at 8:31 AM, Ashish Verma ilu...@gmail.com wrote: Hi, I want to know if it is possible for someone to gain access to resources if they capture a person's encrypted password. For Eg: Gmail uses https once the authentication process starts. This is basically to ensure that if anyone is listening on the network he gets garbled text. So if a person is able to emulate the session and send the encrypted password with my user-id... will he gain access to my gmail account? In https, the entire session is encrypted -not the individual fields. So you cannot see what the password field's value is. As for a person submitting stolen encrypted data, even if the server returns something, he cannot do much with it because he will not have the key to unencrypt it. Though am not sure if the server will even respond - just thinking aloud! regds, mano -- Computers are useless. They can only give you answers. -- Pablo Picasso ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [ilugc] Encrypted password captured when listening on network
On Monday 15 November 2010 09:13 AM, Manokaran K wrote: On Mon, Nov 15, 2010 at 8:31 AM, Ashish Vermailu...@gmail.com wrote: Hi, I want to know if it is possible for someone to gain access to resources if they capture a person's encrypted password. In https, the entire session is encrypted -not the individual fields. So you cannot see what the password field's value is. Indeed. But it depends on how long the https encryption is on. Most sites, Gmail Facebook included, turn on https only during login. So though the password etc. are encrypted, but if the user is able to capture the session cookie (say in a public wi-fi hotspot), he can still impersonate you and can do whatever he wants. This is the whole premise of the controversial Firesheep (http://codebutler.com/firesheep). And of course, then you should also read up about Blacksheep. A few sites like GitHub have gone fully-https in advent of this. Most of them are yet to, mostly because it means significant changes to their network infrastructure. That said, I'm no security researcher, perhaps somebody with experience in this domain can give more insights on this. Vamsee. ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [ilugc] Encrypted password captured when listening on network
On Mon, Nov 15, 2010 at 10:29 AM, Vamsee Kanakala vkanak...@gmail.comwrote: On Monday 15 November 2010 09:13 AM, Manokaran K wrote: On Mon, Nov 15, 2010 at 8:31 AM, Ashish Vermailu...@gmail.com wrote: Hi, I want to know if it is possible for someone to gain access to resources if they capture a person's encrypted password. In https, the entire session is encrypted -not the individual fields. So you cannot see what the password field's value is. Indeed. But it depends on how long the https encryption is on. Most sites, Gmail Facebook included, turn on https only during login. So though the password etc. are encrypted, but if the user is able to capture the session cookie (say in a public wi-fi hotspot), he can still impersonate you and can do whatever he wants. This is the whole premise of the controversial Firesheep (http://codebutler.com/firesheep). And of course, then you should also read up about Blacksheep. A few sites like GitHub have gone fully-https in advent of this. Most of them are yet to, mostly because it means significant changes to their network infrastructure. That said, I'm no security researcher, perhaps somebody with experience in this domain can give more insights on this. Vamsee. ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc Gmail uses https all the time by default, Herehttp://mail.google.com/support/bin/answer.py?hl=enanswer=74765 is the gmail help file for https-always ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
Re: [ilugc] Encrypted password captured when listening on network
On Mon, 2010-11-15 at 10:44 +0530, Parikshith Mechineni wrote: Gmail uses https all the time by default, Herehttp://mail.google.com/support/bin/answer.py?hl=enanswer=74765 is the gmail help file for https-always kindly avoid bottom posting -- regards KG http://lawgon.livejournal.com ___ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc