[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet



My goal is to avoid the $100,000 minimum RSA license fees.  I tried using DH
for
key exchange with DSA certificates and it never would work...now that I
think
about it, maybe that has something to do with the DH bug.  Anyway, I thought
I could
temporarily use ADH during testing, and get the DSA certs working later.  If
iSaSiLkLight
supports DH key exchange, DSA certificates, and DES or 3DES, then that will
be even better.

I don't need ADH in iSaSiLkLight, the plan was to use DH instead of ADH
because of the MIM attack.
Does the bug affect regular DH too?  Is that why I could never get a DSA
certificate
exchange to work?  If anyone has any sample code/certs that works in
DH-DSA-3DES mode, it would
help a lot.  Thanks.

Gerald


-----Original Message-----
From: iaik-ssl-owner@iaik.tu-graz.ac.at
[mailto:iaik-ssl-owner@iaik.tu-graz.ac.at]On Behalf Of Andreas Sterbenz
Sent: Friday, September 17, 1999 10:41 AM
To: Gerald Pattillo; iaik-ssl@iaik.tu-graz.ac.at
Subject: Re: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet


Note that we have two different Applet solutions:

 . the applet version of standard iSaSiLk (supports all standard
ciphersuites, including ADH)
 . iSaSiLkLight, see
http://jcewww.iaik.at/iSaSiLkAppletEdition/light1.htm

iSaSiLkLight works on any JDK up from 1.0 and is only 42k (compressed
JAR). It supports strong standard ciphersuites (RSA and DH), but not
export or otherwise weak ciphersuites like anonymous DH. You should
realize that DH_anon is vulnerable to active man-in-the-middle attacks,
which require no computational effort and are fairly easy to mount. I can
imagine hardly any scenarios where non authenticated connections are
sufficient.

We plan on updating iSaSiLkLight and could add ADH in the process if that
is important to you. I cannot yet say when that new version will be
available, but it is safe to say that at least a beta will come out
before the end of the year.

Regards,

 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.tu-graz.ac.at

-----Ursprüngliche Nachricht-----
Von: Gerald Pattillo <gpattill@atd.sprintcorp.com>
An: <iaik-ssl@iaik.tu-graz.ac.at>
Gesendet: Freitag, 17. September 1999 15:54
Betreff: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet


>
> We are in the process of licensing iSaSiLk, but are having problems
doing
> ADH key exchange.
> I realize from an earlier message that this is a bug that will be fixed
> shortly, but there is another
> issue.  The applet editition of iSaSiLk only supports RSA, where the
applet
> edition os SSLava will
> do ADH, and it is only 50k (and it also works now).  My question is,
can
> iSaSiLk be easily
> peared down to only do ADH in order to reduce the footprint for applet
use.
> I don't need any of the
> other algorithms because I'm connecting to a known ADH server.  If this
is
> not easily done, maybe
> I should just go with the 50k SSLava package.  Thanks for any info or
> insight.
>
> Gerald




--
Mailinglist-archive at http://jcewww.iaik.tu-graz.ac.at/mailarchive/iaik-ssl/maillist.html

To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the folowing content: UNSUBSCRIBE iaik-ssl