Bill Browning wrote:
>
> Yes I must agree on re-read I made two fatal mistakes. One should definitely
> not pass encrypted tokens to the client and one should not design an
> authentication scheme in the time takes to type out a message. Proper
> approach would have been to replace steps 4 and 5
AIL PROTECTED]]
> Sent: Tuesday, March 20, 2001 3:58 PM
> To: [EMAIL PROTECTED]
> Subject: Re: How can I encrypt public key in handshake?
>
> > > 3. Verify that the server is who you think it is (via the public key)
> > > (client can now trust server)
> > > 4.
Date sent: Tue, 20 Mar 2001 16:22:53 -0800
Subject:Re: How can I encrypt public key in handshake?
From: "corky peavy" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Send reply to: [EMAIL PROTECTED]
Again, if
3:58 PM
To: [EMAIL PROTECTED]
Subject: Re: How can I encrypt public key in handshake?
> > 3. Verify that the server is who you think it is (via the public key)
> > (client can now trust server)
> > 4. Pass an encrypted token to the client (encrypted with client
password)
A cl
http://www-cs-students.stanford.edu/~tjw/srp/whatisit.html
http://www-cs-students.stanford.edu/~tjw/srp/project.html
http://www-cs-students.stanford.edu/~tjw/srp/download.html
__
OpenSSL Project ht
> This kind of ad hoc
> thinking by amateurs never results in a protocol worthy of deployment.
>
> The whole concept of encrypting public keys is ludicrous, and it
> doesn't matter what the answers are when you're asking the wrong
> questions.
> __
> I did not want certificates for my application, sorry.
Then use SRP.
Leave crpyto protocol design to those qualified. :)
/r$
__
OpenSSL Project http://www.openssl.org
User Support Mailin
"Kenneth R. Robinette" <[EMAIL PROTECTED]> wrote:
> From: Bill Browning <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: RE: How can I encrypt public key in
> 1. Give your public key to anyone who want its (email what ever..)
> 2. create an SSL connection from client to server.
> 3. Verify that the server is who you think it is (via the public key)
> (client can now trust server)
> 4. Pass an encrypted token to the client (encrypted with client passwo
> > 3. Verify that the server is who you think it is (via the public key)
> > (client can now trust server)
> > 4. Pass an encrypted token to the client (encrypted with client password)
A classic, and amateur-level mistake. You should NEVER hand out
something encrypted with a user's password to
"Kenneth R. Robinette" wrote:
> okay, well try this approach:
>
> 1. Give your public key to anyone who want its (email what ever..)
> 2. create an SSL connection from client to server.
> 3. Verify that the server is who you think it is (via the public key)
> (client can now trust server)
> 4. P
ECTED]
_
- Original Message -
From: "corky peavy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 20, 2001 2:18 PM
Subject: How can I encrypt public key in handshake?
>
> I am building a system where the public key needs to be encrypted by
> the server,
From: Bill Browning <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: How can I encrypt public key in handshake?
Date sent: Tue, 20 Mar 2001 15:29:05 -0800
Send reply t
verification of the client by the server.
Just my random thoughts...
Bill Browning
-Original Message-
From: corky peavy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 20, 2001 11:18 AM
To: [EMAIL PROTECTED]
Subject: How can I encrypt public key in handshake?
I am building a system w
corky peavy wrote:
> Background and Rationale -- if you are interested.
>
> I need to do this because our product would not be practical with the
> headaches of certificate authorities, but we do need some user authentication,
> and defense against man-in-the-middle attacks.
See SKIP v2 w/UDH c
I am building a system where the public key needs to be encrypted by
the server, and decrypted by the client.
The included blowfish encryption is fine, but I can't figure out where
in the client and server code to encrypt/decrypt. Encrypting it just
before it is sent to the client is detected
16 matches
Mail list logo