verisign-entrust

Simos Xenitellis S.Xenitellis at rhbnc.ac.uk
Tue Jun 20 13:22:40 EEST 2000


> ----------
> From: 	Nikos Mavroyanopoulos[SMTP:nmav at hellug.gr]
> Reply To: 	linux-greek-users at hellug.gr
> Sent: 	18 June 2000 21:23
> To: 	linux-greek-users at hellug.gr
> Subject: 	Re: verisign-entrust
> 
> On Sun, Jun 18, 2000 at 07:59:56PM +0100, Xenitellis S wrote:
> 
> > Sto SSH, o xristis prepei na exei logariasmo ston ejypiretiti. Sto
> Netscape
> > exeis paromoia leitourgikotita otan kaneis xrisi "pistopoiitikwn
> xristi".
> > Genika sto Internet, mono o ejipiretitis "apodiknyei" poios einai, oxi o
> > xrhstis.
> Ma den eipa oti o xristis apodeiknyei otidipote. O algorithmos tou ssh
> einai trotos se man-in-the-middle-attack tin stigmi tis prwtis syndesis.
> Apo tin stigmi pou apothikeusei to key tote o algorithmos einai asfalis.
> Autou tou epipedou tin asfaleia exei kai to TLS otan den yparxei
> certificate, h otan prepei na to katevaseis ekeini tin stigmi.

Hmm, apo aftin tin apopsi, nomizw oti mporeis na 8ewriseis oti ka8e
algorithmos afthentikopoiisis einai evalotos se man-in-the-middle epi8esi.
To problima tvn algorithmwn einai to arxiko stisimo tvn kleidiwn.
An den mporeis na eisai sigouros arxika me poion milas, tote 8a exeis
tetoia problimata. Gia na sinde8eis me SSH se ena sistima, ejartase apo to
DNS (an dwseis onoma mixanimatos) kai meta apo tin diefthinsi IP.
Kai sta dyo mporei kapoios administrator na valei to xeraki tou.
Otan topo8eteis to systima asfaleias sou panw se ena anasfales systima,
prepei na anameneis oti to teliko systima den 8a exei
"apodedeigmeni" asfaleia. Den mporeis na epistefteis enan ypologisti an
den exei kapoio "trusted computing base", diladi na exei kapoio basiko
logismiko to opoio na min mporei na allaxtei apo trito xristi. Mporeis na
epistefteis ena systima Linux to opoio kapoios agnvstos to eixe sta
xerakia tou gia merikes ores?

8a itan endiaferon na ypirxe kapoia ylopoiisi (tropopoiisi) tou logismikou
toy SSH outws wste na kanei epidijh tis man-in-the-middle epi8esis, gia
logous "proof of concept".

Lene oti to SSH ypostirizei "perfect forward
secrecy". Ayto simainei oti akomi kai an exeis mia katagrafi epikoinwnias
SSH kai apoktiseis to kwdiko, den mporeis na apokryptografiseis tin
epikoinwnia. Isws kai ayto exei kapoies epiptvseis.

To SSH ypostirizei diaforous tropous elegxoy afthentikotitas.
Gia paradeigma, elegxos afthentikotitas me xrhsi kwdikoy, elegxos
afthentikotitas me RSA klp. An yparxei anagki, mporeis na steileis to 
dimosio kleidi sou me kapoio tropo 'ektos mpantas' sto allo systhma.

H lisi pou akolou8eite einai i ejeis: Mia tetoia epi8esi einai
"intrusive" kai den mporei na ginei se megali ektasi xwris kapoios na to
parei xampari. Epeidi den exoun akoustei krousmata, mporoume na ypo8esoume
oti den ifistate problima. Einai sini9is praktiki na lynontai ta
problimata mono otan parousiazontai :(

> 
> > > To pleonektima twn certicom,entrust klp einai oti to netscape exei hdh
> > > ta kleidia tous enswmatwmena.
> > Gia na baleis to "riziko pistopoiitiko" tou Hellug sti basi ayti, arkei
> na
> > pas mia mono fora sto http://certs.hellug.gr/root.crt kai se oti sou
> leei to
> > netscape na les "Yes" (h Nai).
> Kai auth i diadikasia einai troti se man-in-the-middle-attack. Mporei
> opoiosdipote na sou pasarei allo certificate opote kathe synalagi
> einai anasfalis pia.

Kai edw xreiazete mia ylopoiisi gia apodeiji tis ideas. Prepei kai edw na 
paijeis me to DNS. To pistipoiitiko anaferei to "domain name" gia to opoio
to pistipoiitiko einai egkyro. 

An katafereis na kaneis mia ylopoiisi apodeijis tis ideas me to problima
me ta pistopoiitika, jerw mia tailandesa pou 8a to ektimouse arketa.
(kanei didaktoriko se ayta...)

Simos Xenitellis


--
linux-greek-users mailing list -- http://lists.hellug.gr




More information about the Linux-greek-users mailing list