[dcc2] Multi headers + metadata

peter green plugwash at p10link.net
Thu Apr 29 18:03:09 EDT 2004 

there are a few ways

one method is a trusted thrid party signing public keys (this is how https
works for example)

another method is to use sealed physical mail to send public keys in a
tamperproof manner (ie in a way where if someone has tampered you will know
it)

-----Original Message-----
From: dcc2-bounces at dcc2.org [mailto:dcc2-bounces at dcc2.org]On Behalf Of
Phoenix Fyrestar
Sent: 29 April 2004 22:48
To: DCC2 Working Group List
Subject: Re: [dcc2] Multi headers + metadata


Until quantum cryptography is available to the masses, is there any way to
really prevent a man-in-the-middle attack?

On 4/29/04 4:36 PM, "peter green" <plugwash at p10link.net> wrote:

> essentilaly you are reinventing ssl
>
> one or both ends of a sll link ccan have a host key
>
> if you know the public host ey of a host you can verifify securely that it
> really is that host
>
> with https the host keys are signed by a certification authority but
> swapping them in advance is perfectly possible
>
> at the end of the day to securely protect against man in the middle you
need
> to be sure the public host keys you have really belong to the other host
> hence why we have certification authorites
>
> -----Original Message-----
> From: dcc2-bounces at dcc2.org [mailto:dcc2-bounces at dcc2.org]On Behalf Of
> Phoenix Fyrestar
> Sent: 29 April 2004 22:30
> To: DCC2 Working Group List
> Subject: Re: [dcc2] Multi headers + metadata
>
>
> What about doing this through some sort of automated public key
encryption.
>
> Each client generates a random public/private key pair, then exchange
public
> keys
>
> Then either all data, or a symmetric key, is transferred using the public
> key encryption method.
>
> On 4/29/04 1:35 AM, "Ben Damm" <bdamm-dcc2 at dammfine.com> wrote:
>
>> On Thu, Apr 29, 2004 at 01:11:00AM -0500, Phoenix Fyrestar wrote:
>>> As far as running everything through SSL, I have no problem with this, I
> was
>>> just under the (apparently mistaken) impression that for some reason or
>>> another people were thinking this might not be a good idea, so I was
> trying
>>> to purpose alternate solutions.
>>
>> My understanding of SSL is that it both encrypts and authenticates (if
>> you trust the certificate authority).  Some people think this is great,
>> but to me it sounds like overhead.  As a light-weight encryption
>> system, SSL is not so hot because of the certificates.  People are not
>> going to go purchasing certificates from VeriSign just to use DCC, and a
>> self-signed certificate is just as bad as no authentication at all (i.e.
>> no protection against man-in-the-middle attacks).
>>
>> So, the idea with symmetric keys is that you generate a secret and
>> exchange it via an asymmetric algorithm, then switch to the symmetric
>> algorithm to do the transfer.  You do this switching because asymmetric
>> encryption is much more resource intensive than symmetric communication.
>>
>> -Ben
>>
>> _______________________________________________
>> dcc2 mailing list
>> dcc2 at dcc2.org
>> http://six.pairlist.net/mailman/listinfo/dcc2
>
> _______________________________________________
> dcc2 mailing list
> dcc2 at dcc2.org
> http://six.pairlist.net/mailman/listinfo/dcc2
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.672 / Virus Database: 434 - Release Date: 28/04/2004
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.672 / Virus Database: 434 - Release Date: 28/04/2004
>
> _______________________________________________
> dcc2 mailing list
> dcc2 at dcc2.org
> http://six.pairlist.net/mailman/listinfo/dcc2

_______________________________________________
dcc2 mailing list
dcc2 at dcc2.org
http://six.pairlist.net/mailman/listinfo/dcc2
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.672 / Virus Database: 434 - Release Date: 28/04/2004

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.672 / Virus Database: 434 - Release Date: 28/04/2004

More information about the dcc2 mailing list