Re: Unpatented PAKE!
Ben Laurie wrote: >Scott G. Kelly wrote: >> Here's another approach to password authenticated key exchange with >> similar security claims. The underlying mechanism is under >> consideration for inclusion in by the 802.11s group in IEEE: >> >> http://www.ietf.org/internet-drafts/draft-harkins-emu-eap-pwd-01.txt > >Hmmm. I don't see any IPR statements for that draft. My understanding is that there are no IPR claims on this method. I am not a lawyer, though. --Scott - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Unpatented PAKE!
[Moderator's note: Please do not top post. --Perry] Here's another approach to password authenticated key exchange with similar security claims. The underlying mechanism is under consideration for inclusion in by the 802.11s group in IEEE: http://www.ietf.org/internet-drafts/draft-harkins-emu-eap-pwd-01.txt -Original Message- >From: "Perry E. Metzger" <[EMAIL PROTECTED]> >Sent: May 30, 2008 2:27 PM >To: Ben Laurie <[EMAIL PROTECTED]> >Cc: Cryptography >Subject: Re: Unpatented PAKE! > > >Ben Laurie <[EMAIL PROTECTED]> writes: >> http://grouper.ieee.org/groups/1363/passwdPK/submissions/hao-ryan-2008.pdf >> >> At last. > >See also: > >http://www.lightbluetouchpaper.org/2008/05/29/j-pake/ > >Looks quite interesting indeed. > >Perry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: man in the middle, SSL
James Muir wrote: > I was reading a hacking blog today and came across this: > > http://www.darknet.org.uk/2007/02/odysseus-win32-proxy-telemachus-http-transaction-analysis/ > > >> Odysseus is a proxy server, which acts as a man-in-the-middle during >> an HTTP session. A typical HTTP proxy will relay packets to and from >> a client browser and a web server. Odysseus will intercept an HTTP >> session’s data in either direction and give the user the ability to >> alter the data before transmission. >> >> For example, during a normal HTTP SSL connection a typical proxy will >> relay the session between the server and the client and allow the two >> end nodes to negotiate SSL. In contrast, when in intercept mode, >> Odysseus will pretend to be the server and negotiate two SSL >> sessions, one with the client browser and another with the web >> server. >> >> As data is transmitted between the two nodes, Odysseus decrypts the >> data and gives the user the ability to alter and/or log the data in >> clear text before transmission. >> >> You can find more and download Odysseus here: >> >> http://www.bindshell.net/tools/odysseus > > It is my understanding that SSL is engineered to resist mitm attacks, so > I am suspicious of these claims. I wondered if someone more familiar > with SSL/TLS could comment. > > Isn't in the case that the application doing SSL on the client should > detect what this proxy server is doing and display a warning to the user? If the user's browser is configured to accept a CA cert for which the proxy holds the signing key, then the proxy can generate a (bogus) cert for the destination site on the fly, and this will be transparent to the user. Scott - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: SSL
Hi Jill, To add to Perry's note, I think Eric's book is very good, and I've also been reading "Network Security with OpenSSL", an O'Reilly book by Viega, Messier, and Chandra -it's been exceedingly helpful in understanding and working with openssl. Scott [EMAIL PROTECTED] wrote: | Hi, | | I've been following the SSL thread with great interest, but the truth is I | don't know enough about SSL to add anything meaningful to the discussion. | | But this much remains true: I'm a competent programmer, and I know enough | about crypto to put together some basic algorithms (like the early PGPs I | guess). However, the complexity of the OpenSSL library has me stumped. | (Plus, it's Unix-centric. I'd like to turn it into a Visual Studio port so I | could compile without needing cygwin, gcc, etc., but that's another story). | | I'm not going to complain. That's been done to death here. Instead, I have a | different question: Where can I learn about SSL? | | As in, could someone reccommend a good book, or online tutorial, or | something, somewhere, that explains it all from pretty much first | principles, and leaves you knowing enough at the end to be able to make | sensible use of OpenSSL and similar? I don't want a "For Dummies" type book | - as I said, I'm reasonably competent - but I would really like access to a | helpful tutorial. I want to learn. So what's the best thing to go for? | | Jill | | | [Moderator's Note: Eric Rescorla (aka "Ekr") wrote an entire book on | the topic which is pretty much definitive on the general topic of | SSL/TLS. As for OpenSSL itself, as a package that changes from release | to release, only its own documentation is 100% definitive. --Perry] | - | The Cryptography Mailing List | Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]