question about ssl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

question about ssl

amineh salehi
I investigate the security of the SSL protocol, I have 2 question about ssl version 2.0.
in the ciphersuites defined for it in "rfc2246"( TLS1.0), there isn't diffi-helman key exchange, why? 
 What is the soulotion for vulnerability in anonymous key exchange pointed by Bruce Schneier (analysis of ssl,1996) ?


Sell on Yahoo! Auctions - No fees. Bid on great items.
Reply | Threaded
Open this post in threaded view
|

Re: question about ssl

Jostein Tveit
amineh salehi <[hidden email]> writes:

> in the ciphersuites defined for it in "rfc2246"( TLS1.0), there isn't
> diffi-helman key exchange, why?

RFC 2246 specifies many DH key exchange cipher suites. Have a
look at page 61.

>  What is the soulotion for vulnerability in anonymous key exchange pointed
> by Bruce Schneier (analysis of ssl,1996) ?

Do you mean "Analysis of the SSL 3.0 protocol" by Wagner and
Schneier?

If this is the paper you are talking about, you may have an old
version. The version revised April 15, 1997, states that this was
a typo in the standard, and that the designers intended that the
signature be omitted entirely.

--
Jostein Tveit <[hidden email]>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: question about ssl

amineh salehi
at page 72 in rfc2246 :The following cipher specifications are carryovers from SSL Version
   2.0. These are assumed to use RSA for key exchange and
   authentication.
my question was about this note.
Mr Tveit, pleas explain more for me about "signature be omitted entirely" in anonymous key exchange, or give me its reference. thank you for your attention.


Jostein Tveit <[hidden email]> wrote:
amineh salehi writes:

> in the ciphersuites defined for it in "rfc2246"( TLS1.0), there isn't
> diffi-helman key exchange, why?

RFC 2246 specifies many DH key exchange cipher suites. Have a
look at page 61.

> What is the soulotion for vulnerability in anonymous key exchange pointed
> by Bruce Schneier (analysis of ssl,1996) ?

Do you mean "Analysis of the SSL 3.0 protocol" by Wagner and
Schneier?

If this is the paper you are talking about, you may have an old
version. The version revised April 15, 1997, states that this was
a typo in the standard, and that the designers intended that the
signature be omitted entirely.

--
Jostein Tveit
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Use r Support Mailing List [hidden email]
Automated List Manager [hidden email]


Sell on Yahoo! Auctions - No fees. Bid on great items.
Reply | Threaded
Open this post in threaded view
|

Re: question about ssl

Jostein Tveit
amineh salehi <[hidden email]> writes:

> at page 72 in rfc2246 :The following cipher specifications are carryovers
> from SSL Version 2.0. These are assumed to use RSA for key exchange and
> authentication.
> my question was about this note.

The lines you quoted is at page 66 of RFC2246.
DH key exchange is not a part of SSL v2.0. The only defined
cipher suites in the SSL v2.0 standard [1] is the ones which are
listed as carryovers from SSL Version 2.0 in RFC2246. See
Appendix C.4 in the SSL V2.0 standard and Appendix E of RFC2246.

> Mr Tveit, pleas explain more for me about "signature be omitted entirely"
> in anonymous key exchange, or give me its reference. thank you for your
> attention.

The original published paper [2] is different from the revised
version [3]. Please read chapter 4.5 of both documents.

[1] http://wp.netscape.com/eng/security/SSL_2.html
[2] http://www.schneier.com/paper-ssl.pdf
[3] http://www.schneier.com/paper-ssl-revised.pdf

Regards,
--
Jostein Tveit <[hidden email]>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]