On Tue, Jul 11, 2000 at 01:22:27PM -0700, [EMAIL PROTECTED] wrote:
> hello,
>
> i have a somewhat unusual question about ssl that i hope someone
> here will be able to answer.
>
> i'm working on an embedded device with an imap client in it. we'd
> like to be able to authenticate to the imap server without revealing
> the password to eavesdroppers. the only form of security for imap
> supported by the server we use is ssl. we think that our device
> doesn't have the horsepower to do full ssl at the datarates we need.
> by poking around in the ssl rfc, i found that ssl has commands to
> change the encryption algorithm dynamically.
>
> so my idea was this: establish a connection, turn on full-strength
> encryption, and then send the login command. once i'm logged in, i
> can then negotiate back down to no encryption. that way, the
> user's password, at least, is hidden, even if nothing else is.
>
> is this possible? will the server allow it? what openssl function
> would i use to turn off encryption after i've logged in?
You can do that, but the problem is that the part of the SSL protocol that
used the most CPU cycle is the public-key operations for authenticating
the server and doing the key exchange. That happens when the SSL
connection's set up. So the only good that you'd be doing by switching
to a lower-protection ciphersuite after sending the login would be to
reduce the overhead of the bulk encryption algorithm (and possibly the
hashing algorithm if you renegotiate to NULL).
Since the CPU overhead for the public-key ops is a lot higher than
the symmetric-key stuff, renegotiating doesn't save you
all that much.
Also, another problem is that if you are using someone else's
client (i.e. a web browser), many clients won't do SSL_WITH_NULL_NULL.
or SSL_WITH_NULL_MD5.
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
Security consulting: security reviews, protocols, crypto, ssl.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
