Re: $90 for high assurance _versus_ $349 for low assurance

2005-03-20 Thread Ng Pheng Siong
On Tue, Mar 15, 2005 at 11:04:59AM -0500, Victor Duchovni wrote:
 On Wed, Mar 16, 2005 at 02:23:49AM +1300, Peter Gutmann wrote:
  Certainly with UIXC it's not worth anything.
 
 What is UIXC?

lemme guess: universal  indiscriminate cross certification

oh wait, peter did define it: implicit not indiscriminate

-- 
Ng Pheng Siong [EMAIL PROTECTED] 

http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog
http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Open Source (was Simple SSL/TLS - Some Questions)

2003-10-09 Thread Ng Pheng Siong
On Thu, Oct 09, 2003 at 01:56:47AM +1300, Peter Gutmann wrote:
 I would add to this the observation that rather than writing yet another SSL
 library to join the eight hundred or so already out there, it might be more
 useful to create a user-friendly management interface to IPsec implementations
 to join the zero or so already out there.  The difficulty in setting up any
 IPsec tunnel is what's been motivating the creation of (often insecure) non-
 IPsec VPN software, 

Still coming back to SSL, it seems SSL VPNs are getting bigger: just got a
press release that some big firewall vendor (who has an IPsec appliance
product) has acquired some (big?) SSL VPN appliance vendor.

I believe SSL VPNs are easier than IPsec to deploy and operate for the road
warrior accessing corporate resources. This may eventually restrict IPsec's
utility to site-to-site tunneling (useful when, e.g., one wishes to run
OSPF over the tunnel), which _should_ be far easier to configure without
needing the help of some whizbang AI.


-- 
Ng Pheng Siong [EMAIL PROTECTED] 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL

2003-07-10 Thread Ng Pheng Siong
On Thu, Jul 10, 2003 at 12:04:33PM +0100, [EMAIL PROTECTED] wrote:
 guess). However, the complexity of the OpenSSL library has me stumped.
 (Plus, it's Unix-centric. I'd like to turn it into a Visual Studio port so I
 could compile without needing cygwin, gcc, etc., but that's another story).

It isn't really. I have built OpenSSL using MSVC, BC and mingw.

I have a file here called openssl-0_9_7_Patch_VisualStudio6.zip culled from
the OpenSSL mailing list. I haven't tried it; if you want, I can send it to
you off-list.

 I'm not going to complain. That's been done to death here. Instead, I have a
 different question: Where can I learn about SSL?

I always suggest learning by doing. The OpenSSL C API is quite big, but
there exists wrappers in Perl, Python, Tcl, Ruby, Lisp and possibly
whatever high-level language you can think of. (I have one; see .sig.)
These makes programming OpenSSL more accessible.

While your test programs are running, use ekr's excellent ssldump to see
the stuff happening on the wire.

There is also a book called SSL and TLS Essentials by Stephen Thomas that
just describes the protocol. Refer to the book while you're running your
programs and marveling at ssldump's output.

Have fun.

-- 
Ng Pheng Siong [EMAIL PROTECTED] 

http://firewall.rulemaker.net  -+- Manage Your Firewall Rulebase Changes
http://www.post1.com/home/ngps -+- Open Source Python Crypto  SSL

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Session Fixation Vulnerability in Web Based Apps

2003-06-15 Thread Ng Pheng Siong
On Sun, Jun 15, 2003 at 11:34:55AM -0700, James A. Donald wrote:
 Which is fine provided your code, rather than the framework
 code provided the cookie, and provided you generated the cookie
 in response to a valid login, as Ben Laurie does..   The 
 framework, however, generally provides insecure cookies. 

Dynamic programming environments like Lisp, Smalltalk and Python allow
the application programmer to replace parts of a framework with other code
easily.

Lisp does it better than Python. Dunno about Java, PHP, whatnot.

Build your applications with a superior programming system.


-- 
Ng Pheng Siong [EMAIL PROTECTED] 


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Maybe It's Snake Oil All the Way Down

2003-06-04 Thread Ng Pheng Siong
On Tue, Jun 03, 2003 at 03:04:54PM -0700, James A. Donald wrote:
 I never figured out how to use a certificate to authenticate a
 client to a web server, how to make a web form available to one
 client and not another.  Where do I start?

[ Resend to cryptography@ only coz the earlier attempt failed. ]

Start by looking up the OpenSSL wrappers for your favourite high-level
scripting language. There exists wrappers for Perl, Python, tcl, Ruby,
etc. Some popular languages have several.

Many of these programming language environments come with HTTP server
implementations, and many of the OpenSSL wrappers hook into said HTTP
server code to add HTTPS, and a number demonstrate how to do client-side
certificates.

My M2Crypto adds HTTPS to the popular web application server Zope
(www.zope.org) and has some code to hook client-side certificates into
Zope's own user authentication machinery. (By faking HTTP basic
authentication, just like Apache's SSL do.) Once you have that, you can
choose to serve whatever content you want.


 What I and everyone else does is use a shared secret, a
 password stored on the server, whereby the otherwise anonymous
 client gets authenticated, then gets an ephemeral cookie
 identifying him.. 

It seems HMAC'ing cookies are getting popular for this purpose.
OpenACS, another popular web application server uses this:

   http://openacs.org/doc/openacs-4/security-design.html

My Python crypto kit has an implementation of the scheme described here:

http://www.pdos.lcs.mit.edu/cookies/pubs/webauth.html

I'll be interested to hear this list's view on such schemes. From my
app-plumber's perspective, such a technique for is good enough provided it
is 'secure' enough.

People understand passwords. Private keys, certificates, smart cards, etc.,
are more difficult. (I recall a paper on PGP UI useability testing called
Why Johnny cannot encrypt or something like that.)


 As a result we each have a large number of shared secret
 passwords, whereby we each log into a large number of
 webservers.  Was this what the people who created this protocol
 intended?

Actually, this is the crypto-wielding-open-source-hacker-wannabe's wet
dream: So what you need now to track (or generate strong) passwords is a
GUI password safe! (Like the one offered on (the old?) Counterpane site.)

Again, Perl, Python, Ruby, yada yada, you name it, people are going to
implement them for free. ;-)

Especially since there are usually 3-5 GUI toolkits and 2-4 database toolkits
for these language environments. Enough combinations to suit everyone.


-- 
Ng Pheng Siong [EMAIL PROTECTED] 

http://firewall.rulemaker.net  -+- Manage Your Firewall Rulebase Changes
http://www.post1.com/home/ngps -+- Open Source Python Crypto  SSL

--94BE45B7.1054694140/vista.netmemetic.com--


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]