SSL Storage

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Storage

Philipp Gühring
Hi,

Is it possible to save the content that was transmitted in a SSL session, in a
way that the signature of the SSL session is still preserved, but the
encryption is decrypted?
So that the SSL session can be stored, and the content be verified afterwards
offline again?

With simple tcpdump, I can save the SSL session in encrypted form (from
outside the tunnel).
With stunnel, I can save the the content inside the SSL session, but without
the signature.
Is it theoretically possible?
Is it practically possible with OpenSSL?

Regards,
Philipp Gühring

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL Storage

Dr. Stephen Henson
On Sun, Aug 14, 2005, Philipp Ghring wrote:

> Hi,
>
> Is it possible to save the content that was transmitted in a SSL session, in a
> way that the signature of the SSL session is still preserved, but the
> encryption is decrypted?
> So that the SSL session can be stored, and the content be verified afterwards
> offline again?
>
> With simple tcpdump, I can save the SSL session in encrypted form (from
> outside the tunnel).
> With stunnel, I can save the the content inside the SSL session, but without
> the signature.
> Is it theoretically possible?
>

This isn't possible for nonrepudiation purposes.

There isn't a signature as such its a MAC. Any party which has the session keys
(or just the master or premaster secret) can forge what looks like a valid
session: in particular the server could. Client authentication doesn't help
either.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]