On Mon, Nov 15, 2010 at 4:01 AM, Ashish Verma <ilu...@gmail.com> wrote: > I want to know if it is possible for someone to gain access to resources if > they capture a person's encrypted password.
It depends on the protocol. If its a very simple protocol where the initial authentication between the server and the client is only encrypted (the remaining traffic after authentication is sent on the clear) and no freshness (say a session key with an expiry time) is used then whatever you say is possible. But I doubt anybody uses such a protocol. > For Eg: > > Gmail uses https once the authentication process starts. This is basically > to ensure that if anyone is listening on the network he gets garbled text. > So if a person is able to emulate the session and send the encrypted > password with my user-id... will he gain access to my gmail account? Gmail uses full https. The entire traffic is encrypted and is session key based. So if someone does the relay attack (where the adversary stores the encrypted traffic and replays it later on) to authenticate himself, the session key would no longer be the same. So the server (here gmail) will not be able to decrypt your message. If the attacker does this during an active session (i.e. the session keys are still valid), he will be able to send this emulated/stored encrypted traffic and the server will validate it. But since the adversary does not know the session key, he will receive back encrypted garbage which only the "client" (with the correct session key) can decrypt. So again this is not very useful. And of course by the very nature of encryption (one way functions[1]) it is not possible/very hard to retrieve the key from an encrypted data. In short you are OK *in general*. But then one can do slightly sophisticated attacks. IMO security is always an illusion :) Hope this helps. [1] http://en.wikipedia.org/wiki/One-way_function [2] http://en.wikipedia.org/wiki/Transport_Layer_Security Regards, Aanjhan _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
