[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet

The DH bug only affects DH_anon ciphersuites, everything else should work
ok. The man-in-the-middle attack also only applies to DH_anon, in all
other ciphersuites it would be detected in the authentication/
certificate trust verification phase.

The demos from the standard iSaSiLk version should not be too difficult
to get to work with DSS. You will of course need a certificate with a DSS
key on your server, or you could try the demo server in the iSaSiLk
distribution. The light version is basically the same as the full version
in this respect, the main difference is that the server public key is
hardcoded in the program.


 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.tu-graz.ac.at

-----Ursprüngliche Nachricht-----
Von: Gerald Pattillo <gpattill@atd.sprintcorp.com>
An: <iaik-ssl@iaik.tu-graz.ac.at>
Gesendet: Freitag, 17. September 1999 18:17
Betreff: RE: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet

> My goal is to avoid the $100,000 minimum RSA license fees.  I tried
using DH
> for
> key exchange with DSA certificates and it never would work...now that I
> think
> about it, maybe that has something to do with the DH bug.  Anyway, I
> I could
> temporarily use ADH during testing, and get the DSA certs working
later.  If
> iSaSiLkLight
> supports DH key exchange, DSA certificates, and DES or 3DES, then that
> be even better.
> I don't need ADH in iSaSiLkLight, the plan was to use DH instead of ADH
> because of the MIM attack.
> Does the bug affect regular DH too?  Is that why I could never get a
> certificate
> exchange to work?  If anyone has any sample code/certs that works in
> DH-DSA-3DES mode, it would
> help a lot.  Thanks.
> Gerald
> -----Original Message-----
> From: iaik-ssl-owner@iaik.tu-graz.ac.at
> [mailto:iaik-ssl-owner@iaik.tu-graz.ac.at]On Behalf Of Andreas Sterbenz
> Sent: Friday, September 17, 1999 10:41 AM
> To: Gerald Pattillo; iaik-ssl@iaik.tu-graz.ac.at
> Subject: Re: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet
> Note that we have two different Applet solutions:
>  . the applet version of standard iSaSiLk (supports all standard
> ciphersuites, including ADH)
>  . iSaSiLkLight, see
> http://jcewww.iaik.at/iSaSiLkAppletEdition/light1.htm
> iSaSiLkLight works on any JDK up from 1.0 and is only 42k (compressed
> JAR). It supports strong standard ciphersuites (RSA and DH), but not
> export or otherwise weak ciphersuites like anonymous DH. You should
> realize that DH_anon is vulnerable to active man-in-the-middle attacks,
> which require no computational effort and are fairly easy to mount. I
> imagine hardly any scenarios where non authenticated connections are
> sufficient.
> We plan on updating iSaSiLkLight and could add ADH in the process if
> is important to you. I cannot yet say when that new version will be
> available, but it is safe to say that at least a beta will come out
> before the end of the year.
> Regards,
>  Andreas Sterbenz
> -----Ursprüngliche Nachricht-----
> Von: Gerald Pattillo <gpattill@atd.sprintcorp.com>
> An: <iaik-ssl@iaik.tu-graz.ac.at>
> Gesendet: Freitag, 17. September 1999 15:54
> Betreff: [iaik-ssl] iSaSiLk vs. SSLava - using ADH in applet
> >
> > We are in the process of licensing iSaSiLk, but are having problems
> doing
> > ADH key exchange.
> > I realize from an earlier message that this is a bug that will be
> > shortly, but there is another
> > issue.  The applet editition of iSaSiLk only supports RSA, where the
> applet
> > edition os SSLava will
> > do ADH, and it is only 50k (and it also works now).  My question is,
> can
> > iSaSiLk be easily
> > peared down to only do ADH in order to reduce the footprint for
> use.
> > I don't need any of the
> > other algorithms because I'm connecting to a known ADH server.  If
> is
> > not easily done, maybe
> > I should just go with the 50k SSLava package.  Thanks for any info or
> > insight.
> >
> > Gerald
> --
> Mailinglist-archive at
> To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the
folowing content: UNSUBSCRIBE iaik-ssl