verisign-entrust

Nikos Mavroyanopoulos nmav at hellug.gr
Tue Jun 20 14:50:27 EEST 2000


On Tue, Jun 20, 2000 at 10:22:40AM +0000, Simos Xenitellis wrote:

> > Apo tin stigmi pou apothikeusei to key tote o algorithmos einai asfalis.
> > Autou tou epipedou tin asfaleia exei kai to TLS otan den yparxei
> > certificate, h otan prepei na to katevaseis ekeini tin stigmi.
> Hmm, apo aftin tin apopsi, nomizw oti mporeis na 8ewriseis oti ka8e
> algorithmos afthentikopoiisis einai evalotos se man-in-the-middle epi8esi.
> To problima tvn algorithmwn einai to arxiko stisimo tvn kleidiwn.
> An den mporeis na eisai sigouros arxika me poion milas, tote 8a exeis
> tetoia problimata. 
Gi'auto to TLS ebale ton CA sto protokolo (kati pou den exei to ssh).

> Gia na sinde8eis me SSH se ena sistima, ejartase apo to
> DNS (an dwseis onoma mixanimatos) kai meta apo tin diefthinsi IP.
> Kai sta dyo mporei kapoios administrator na valei to xeraki tou.
Den milaw gia syndesi se allo mixanima (px na allaxei kapoios to dns),
alla syndesi sto swsto mixanima kai man-in-the-middle attack.
Auto proipothetei oti kapoios endiamesos stin epikoinwnia mporei
na kovei, tropopoiei kai stelnei paketa (kapoios router?).

Px to ssh1 protokolo doulevei ws exis:
* O server stelnei to server RSA public key ston client (idio kathe fora)
* O server stelnei to host RSA public key tou ston client (allazei kathe wra)
* o client elegxei an to server RSA key einai to idio me auto pou exei
  stin database tou (stin prwti syndesi den exei tipota)
* o client kanei encrypt me ta dyo RSA public keys pou pire ena tyxaio string
* o client stelnei to encrypted string ston server
* o server to apokryptografei kai twra kai oi dyo xrisimopoioun auto
  to string san key kai allazoun se kapoion symmetriko algorithmo (px idea)

Pws kaneis man-in-the-middle attack:
* O server stelnei to server RSA public key ston client (idio kathe fora)
* O server stelnei to host RSA public key tou ston client (allazei kathe wra)
- Auta den ftanoun pote ston client (me kapoio tropo ta kovw)
- Stelnw (prospoioumenos ton server) ston client ta dika mou server kai host 
  RSA keys
* o client elegxei an to server RSA key einai to idio me auto pou exei
  stin database tou. An einai i prwti fora pou syndeetai (kai ara den exei 
  tipota stin database tou) tote i epithesi petyxe.
* o client kanei encrypt me ta dyo RSA public keys pou pire ena tyxaio string
* o client stelnei to encrypted string ston server
- Auto den ftanei pote ston server 
- Kanw decrypt to string (giati einai encrypted me to diko mou kleidi) kai
  to kanw encrypt me to server kai host public key.
- Prospoioumenos ton client stelnw to encrypted string ston server
* o server to apokryptografei kai twra kai oi dyo xrisimopoioun auto
  to string san key kai allazoun se kapoion symmetriko algorithmo (px idea)
- Nomizoun oti i epikoinwnia einai asfalis, alla egw exw to kleidi (string) kai
  mporw na tin parakolouthisw.

- Auto mporei na epanalifthei kai stis epomenes syndeseis.

> Otan topo8eteis to systima asfaleias sou panw se ena anasfales systima,
> prepei na anameneis oti to teliko systima den 8a exei
> "apodedeigmeni" asfaleia. Den mporeis na epistefteis enan ypologisti an
> den exei kapoio "trusted computing base", diladi na exei kapoio basiko
> logismiko to opoio na min mporei na allaxtei apo trito xristi. Mporeis na
> epistefteis ena systima Linux to opoio kapoios agnvstos to eixe sta
> xerakia tou gia merikes ores?
Ma den milame gia problima tou systimatos. An deis tin parapanw epithesi
tha deis oti den mplextike katholou anasfaleia kapoiou apo ta dyo sistimata,
para mono kapoiou endiamesou router.

> toy SSH outws wste na kanei epidijh tis man-in-the-middle epi8esis, gia
> logous "proof of concept".
Den einai tipota na ginei. To lsh px arneitai tin syndesi tin prwti fora an
den exeis to public key tou server. Auto einai kali ylopoiisi afou den
se afinei na nomizeis pws i epikoinwnia einai asfalis.

> > > netscape na les "Yes" (h Nai).
> > Kai auth i diadikasia einai troti se man-in-the-middle-attack. Mporei
> > opoiosdipote na sou pasarei allo certificate opote kathe synalagi
> > einai anasfalis pia.
> Kai edw xreiazete mia ylopoiisi gia apodeiji tis ideas. Prepei kai edw na 
> paijeis me to DNS. To pistipoiitiko anaferei to "domain name" gia to opoio
> to pistipoiitiko einai egkyro. 
Den xreiazetai kan prosvasi sto dns opws sou edeixa parapanw.

> An katafereis na kaneis mia ylopoiisi apodeijis tis ideas me to problima
> me ta pistopoiitika, jerw mia tailandesa pou 8a to ektimouse arketa.
> (kanei didaktoriko se ayta...)
Oso kali kai na einai i tailandesa xreiazomai kalytero kinitro gia
kati tetoio.

> Simos Xenitellis

-- 
Nikos Mavroyanopoulos
mailto:nmav at hellug.gr

--
linux-greek-users mailing list -- http://lists.hellug.gr




More information about the Linux-greek-users mailing list