Dj Browne wrote:
>
> Also Excellent! Would this be more along the lines of adding it at the
> application layer (telnet)?
>
> Rather than tying this to a particular app protocol I would love to see it
> at the TLS layer so that it generates the pre-master secret directly.
>
> When I was thinking about this a while ago I considered doing the SRP
> seperate from TLS and then using it to do crypto seperately in a bulk way
> and not relying on TLS. Is there any strong feeling one way or the
> other? I personally like the work Mr. Taylor has done as a starting point.
Currently, Telnet over TLS (START_TLS) supports SRP by doing a
"conventional" (server-cert-based or anonymous) TLS session handshake
after the START_TLS option is negotiated, and then doing SRP
authentication via the Telnet AUTH option. The SRP negotiation
incorporates the TLS finished messages into its own handshake, to
prevent MITM attacks against the TLS session, if it was anonymous or if
the server cert was not trusted.
Once SRP is supported natively as TLS ciphersuites, I will add support
to SRP telnet/telnetd to support the use of these ciphersuites to
identify/authenticate the user directly (similar to Kerberos V5), as
opposed to the current approach of doing SRP separately inside a TLS
session.
I agree with you that native ciphersuite support inside TLS and OpenSSL
is a Good Thing, since it doesn't require each app/protocol to
incorporate subsequent SRP authentication support in its own
app/protocol-specific way. It also provides a nice one-stop-shopping
solution for developers who want secure password authentication plus
transport security for their applications.
Tom
> Later,
> dj
>
> On Sun, 11 Mar 2001, Tom Wu wrote:
>
> :Jeffrey Altman wrote:
> :>
> :> >
> :> > hi,
> :> >
> :> > I recently found an IETF draft written by David Taylor that proposes the
> :> > addition of a new ciphersuite.
> :> >
> :> > >A URL for this Internet-Draft is:
> :> > >http://www.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
> :> >
> :> >
> :> > Has this thought come across the OpenSSL To Do list? Is there any comment
> :> > on this draft?
> :> >
> :>
> :> Its on my to do list.
> :
> :I will be doing integration work with START_TLS+SRP telnet/telnetd and
> :doing interoperability testing.
> :
> :> Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
> :> The Kermit Project @ Columbia University includes Secure Telnet and FTP
> :> http://www.kermit-project.org/ using Kerberos, SRP, and
> :> [EMAIL PROTECTED] OpenSSL. SSH soon to follow.
> :> ______________________________________________________________________
> :> OpenSSL Project http://www.openssl.org
> :> Development Mailing List [EMAIL PROTECTED]
> :> Automated List Manager [EMAIL PROTECTED]
> :
> :
--
Tom Wu
Principal Software Engineer
Arcot Systems
(408) 969-6124
"The Borg? Sounds Swedish..."
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
