Re: [Monotone-devel] Re: Transport encryption
In message [EMAIL PROTECTED] on Thu, 13 Oct 2005 10:36:16 +0100, Bruce Stephens [EMAIL PROTECTED] said: monotone Richard Levitte - VMS Whacker [EMAIL PROTECTED] writes: monotone monotone [...] monotone monotone I'm not sure why we would want to use anonymous cipher monotone suites. We currently sign the stream both ways, right? monotone Why should we stop? [...] monotone I'm suggesting another would be to leave monotone's protocol monotone just as it is (complete with signing), and just to use TLS monotone to provide an encryption wrapper around it, for those that monotone want such a thing. Not having played with the anonymous cipher suites at all, I'm really walking on thin ice when talking about it. I was under the impression that all the anonymous cipher suites used EDH (Ephemeral DH?), so using that would also require a bit more of monotone than you might think... monotone I can inform you, again, that OpenSSL supports monotone non-blocking I/O. monotone monotone I know. monotone is under the GNU GPL, and OpenSSL's monotone licence doesn't quite fit with that. (On the whole, I'd be monotone in favour of adding the standard exception to permit monotone monotone to link with OpenSSL, but maybe there's something monotone GNU GPL required by monotone that would prevent that.) Oh, right, the farking license incompatibility thingy, I forgot about that... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
Re: [Monotone-devel] Re: Transport encryption
Bruce Stephens spake unto us the following wisdom: Nathaniel Smith [EMAIL PROTECTED] writes: We can already do replication across multiple hosts, that are heterogenous in any way I can think of, and the replication is secure against tampering, man-in-the-middle, and so on -- it's just that people could peak at the data while it goes by. In which case the problems with keys and certificates doesn't have to be relevant; doesn't TLS have anonymous cipher suites, which can be used without either end authenticating (and without either having a certificate)? In which case that could be used just as an encrypting wrapper, and the existing monotone protocol can continue to do all the authentication. Unless I'm missing something, using TLS without certificates will not give you much security at all ... monotone itself will guarantee that there is no man-in-the-middle *changing* your stream, but if the encryption isn't authenticated then someone could still be *reading* your stream. In that case, why bother with encryption at all. Ethan -- The laws that forbid the carrying of arms are laws [that have no remedy for evils]. They disarm only those who are neither inclined nor determined to commit crimes. -- Cesare Beccaria, On Crimes and Punishments, 1764 pgpjGnEGv8PDc.pgp Description: PGP signature ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
[Monotone-devel] Re: Transport encryption
Richard Levitte - VMS Whacker [EMAIL PROTECTED] writes: [...] Not having played with the anonymous cipher suites at all, I'm really walking on thin ice when talking about it. I was under the impression that all the anonymous cipher suites used EDH (Ephemeral DH?), so using that would also require a bit more of monotone than you might think... I've never used them, either. I assumed one just selected one, and the library would do its stuff. Maybe the handshake takes longer, but presumably after that it's just using a symmetric cipher. So what does monotone need to provide? DH parameters, I guess, but those could be built in. I don't know, though, maybe there are security considerations in every user of monotone using the same parameters. I suppose monotone could construct a self-signed X.509 certificate out of its server key, and use that (as a client, it wouldn't need to do any verification at the TLS level, so the coding would just be about constructing the certificate). An easy way would be to use something like OpenSSL to code up the certificate correctly, but if we didn't care about the contents (except for the public key and signature) I'll bet it would be reasonably straightforward to special-case the actual encoding. [...] ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
[Monotone-devel] Re: Transport encryption
Ethan Blanton [EMAIL PROTECTED] writes: [...] Unless I'm missing something, using TLS without certificates will not give you much security at all ... monotone itself will guarantee that there is no man-in-the-middle *changing* your stream, but if the encryption isn't authenticated then someone could still be *reading* your stream. In that case, why bother with encryption at all. I think that's right, but that doesn't necessarily rule it out. As always, I imagine it depends on your threat model. If you're worried about people reading your source using ethereal or something, then an anonymous cipher would still be valuable. If you're worried about MITM, then it wouldn't be useful. I've never looked at GNU TLS. Maybe it would be straightforward enough to change the handshaking to use monotone's existing keys rather than what it uses now? Or maybe it's best just to invent something. That tends not to be advised, though (it's easy to make a mistake). [...] ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
Re: [Monotone-devel] Re: Transport encryption
On Thu, Oct 13, 2005 at 10:36:16AM +0100, Bruce Stephens wrote: I'm suggesting another would be to leave monotone's protocol just as it is (complete with signing), and just to use TLS to provide an encryption wrapper around it, for those that want such a thing. It doesn't work like this -- if you want MITM protection, your authentication has to be tied into all your actual crypto use. So in this scenario, a MITM attacker couldn't alter the stream (because we our HMACing is tied into the authentication), but they could eavesdrop on everything, despite the encryption. -- Nathaniel -- But in Middle-earth, the distinct accusative case disappeared from the speech of the Noldor (such things happen when you are busy fighting Orcs, Balrogs, and Dragons). ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
[Monotone-devel] Re: Transport encryption
Nathaniel Smith [EMAIL PROTECTED] writes: [...] We can already do replication across multiple hosts, that are heterogenous in any way I can think of, and the replication is secure against tampering, man-in-the-middle, and so on -- it's just that people could peak at the data while it goes by. In which case the problems with keys and certificates doesn't have to be relevant; doesn't TLS have anonymous cipher suites, which can be used without either end authenticating (and without either having a certificate)? In which case that could be used just as an encrypting wrapper, and the existing monotone protocol can continue to do all the authentication. So then we're back to TLS libraries not doing asynchronous I/O (and not being very convenient to use, which I go along with). I'm reasonably sure GNU TLS is intended to support non-blocking I/O; it surely can't be *that* hard to fix it, if the I/O turns out not to be quite complete? ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
Re: [Monotone-devel] Re: Transport encryption
I don't have any particular plans to implement it myself, and writing my own crypto protocol makes me Very Very Nervous. And SSL and SSH libraries seem to be uniformly horrid. I haven't looked at any SSH ones, but OpenSSL doesn't seem too horrible---I'd guess it's not much more horrible than is necessary. (It compares fairly reasonably in usability with a commercial one I used from Baltimore, for example.) There is also the NSS library: http://www.mozilla.org/projects/security/pki/nss/. This is triple licensed under MPL, GPL, and LGPL, and supports SSLv2, SSLv3, TLS, X.509v3, and so on. I do not know if the library is better or worse than the OpenSSL library. ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel
Re: [Monotone-devel] Re: Transport encryption
Bruce Stephens [EMAIL PROTECTED] wrote: Yes, that's likely to be an issue. The two APIs I've seen assume you want to use X.509 certs and things, I think (even though TLS doesn't require it, IIRC). I think GNU TLS is working on supporting OpenPGP keys; might be extendable to what Monotone is doing. ___ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel