Re: Spoofing as the postmaster

Andrew Sullivan wrote: <blockquote cite="mid:20071228215734.GA26152@crankycanuck.ca" type="cite"><pre wrap="">On Fri,
Dec28, 2007 at 07:48:22AM -0800, Trevor Talbot wrote: </pre><blockquote type="cite"><pre wrap="">I don't follow. What
arebanks doing on the web now to force clients
 
to authenticate them, and how is it any different from the model of
training users to check the SSL certificate?   </pre></blockquote><pre wrap="">
Some banks (mostly Swiss and German, from what I've seen) are requiring
two-token authentication, and that second "token" is really the way that the
client authenticates the server: when you "install" your banking
application, you're really installing the keys you need to authenticate the
server and for the server to authenticate you. </pre></blockquote> I have done this for my own application before.
Althoughthe client and server use standard TLS 1.0 to speak to each other with a required authentication of RSA
1024-bitand a required encryption of AES 128-bit, it still requires that passwords sent from the client to the server
areRSA encrypted using the server public certificate, making it impossible for anybody except for the legitimate server
tosee the password. One benefit of this is that the password itself can be '\0'd out as soon as we have RSA encrypted
it,and things like a core dump of the client have a lower chance of including the password in plain text.<br /><br />
Inmy case, the reason I did it is because I was trying to navigate around the US export control regulations that
preventgreater than 1024 bit assymetric or 128 bit symmetric from leaving the US. I was able to use the standard Java
SSLand crypto libraries to achieve greater than 128 bit symmetric encryption by combining the two.<br /><br /> Now, my
implementationisn't perfect with regard to Andrew's comments, as I encrypt using the server's public certificate after
authenticatingit. Technically, however, I could actually have two server certificates - one to use for authentication,
andone to use for encryption. I believe this is becoming common in some circles, and you will find that gpg uses DSA
keysfor authentication, and signs the RSA keys used for encryption with the DSA key. The DSA key can be more bits, or
havea longer life time.<br /><br /> At what point does prudence become paranoia? I don't know. In my case, I felt
128-bitencryption was insufficient for protecting the passwords in my application. 256-bit encryption would have been
sufficient,but that cannot yet be safely exported from the US to the countries I required.<br /><br /> Cheers,<br />
mark<br/><br /><pre class="moz-signature" cols="72">-- 
 
Mark Mielke <a class="moz-txt-link-rfc2396E" href="mailto:mark@mielke.cc"><mark@mielke.cc></a>
</pre>