[dcc2] Multi headers + metadata

[Phoenix Fyrestar]

Until quantum cryptography is available to the masses, is there any way to
really prevent a man-in-the-middle attack?

On 4/29/04 4:36 PM, "peter green" <plugwash at p10link.net> wrote:

> essentilaly you are reinventing ssl
> 
> one or both ends of a sll link ccan have a host key
> 
> if you know the public host ey of a host you can verifify securely that it
> really is that host
> 
> with https the host keys are signed by a certification authority but
> swapping them in advance is perfectly possible
> 
> at the end of the day to securely protect against man in the middle you need
> to be sure the public host keys you have really belong to the other host
> hence why we have certification authorites
> 
> -----Original Message-----
> From: dcc2-bounces at dcc2.org [mailto:dcc2-bounces at dcc2.org]On Behalf Of
> Phoenix Fyrestar
> Sent: 29 April 2004 22:30
> To: DCC2 Working Group List
> Subject: Re: [dcc2] Multi headers + metadata
> 
> 
> What about doing this through some sort of automated public key encryption.
> 
> Each client generates a random public/private key pair, then exchange public
> keys
> 
> Then either all data, or a symmetric key, is transferred using the public
> key encryption method.
> 
> On 4/29/04 1:35 AM, "Ben Damm" <bdamm-dcc2 at dammfine.com> wrote:
> 
>> On Thu, Apr 29, 2004 at 01:11:00AM -0500, Phoenix Fyrestar wrote:
>>> As far as running everything through SSL, I have no problem with this, I
> was
>>> just under the (apparently mistaken) impression that for some reason or
>>> another people were thinking this might not be a good idea, so I was
> trying
>>> to purpose alternate solutions.
>> 
>> My understanding of SSL is that it both encrypts and authenticates (if
>> you trust the certificate authority).  Some people think this is great,
>> but to me it sounds like overhead.  As a light-weight encryption
>> system, SSL is not so hot because of the certificates.  People are not
>> going to go purchasing certificates from VeriSign just to use DCC, and a
>> self-signed certificate is just as bad as no authentication at all (i.e.
>> no protection against man-in-the-middle attacks).
>> 
>> So, the idea with symmetric keys is that you generate a secret and
>> exchange it via an asymmetric algorithm, then switch to the symmetric
>> algorithm to do the transfer.  You do this switching because asymmetric
>> encryption is much more resource intensive than symmetric communication.
>> 
>> -Ben
>> 
>> _______________________________________________
>> dcc2 mailing list
>> dcc2 at dcc2.org
>> http://six.pairlist.net/mailman/listinfo/dcc2
> 
> _______________________________________________
> dcc2 mailing list
> dcc2 at dcc2.org
> http://six.pairlist.net/mailman/listinfo/dcc2
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.672 / Virus Database: 434 - Release Date: 28/04/2004
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.672 / Virus Database: 434 - Release Date: 28/04/2004
> 
> _______________________________________________
> dcc2 mailing list
> dcc2 at dcc2.org
> http://six.pairlist.net/mailman/listinfo/dcc2