[Dundi] Looking Glass

Mark Spencer markster at digium.com
Sun Oct 31 10:22:54 CST 2004 

The MD5 secret is, itself, the plaintext secret used to authenticate into 
the web site, ergo although you cannot derive the original route from the 
md5 sum, you could certainly still use that md5 sum to respond to the same 
query again.  Normally hash authentication requires a "nonce" or random 
value be included in the hash, thus making the hash usuable only once.

SSL does not require X.509 certificats.  We're not saying you have to use 
SSL in order to authenticate, we're saying you need to use SSL to encrypt 
only.  Yes, that makes man in the middle attacks possible, but that's also 
a much more difficult thing to do than simply sniff the wire.  So 
basically teh addition of SSL for encryption provides a very simple way to 
add incrementally more security (although clearly not as strong as using a 
certificate authority).  Of course there may be ways to use a DUNDi secret 
to contain the md5 sum or something of the real cert, who knows :)

Mark

On Sun, 31 Oct 2004, Joe Abley wrote:

>
> On 31 Oct 2004, at 11:11, Mark Spencer wrote:
>
>> Without requiring SSL to protect the md5 secret being transmitted, an 
>> observer on the wire could then snoop the md5 secret and use it to gain 
>> access to the system after the fact unless the number which was presented 
>> for authentication changed each time and the same number was not repeated 
>> within the cache time.  Further, without SSL, whatever information is 
>> transmitted would then be visible to anyone on the wire.
>
> Surely the data transmitted over the wire is an MD5 hash calculated over the 
> concatenation of a number with a shared secret. The result of the MD5 hash is 
> hence not secret, and there seems little point in transmitting it over SSL.
>
> Perhaps I am misunderstanding what you said in your previous message about 
> "rotating secret".
>
>> Basically SSL provides an additional layer of security which is fairly 
>> simple to setup and seems pretty worth it :)
>
> SSL implies a requirement for X.509 certificates; since (a) the process of 
> acquiring certificates from well-known trust anchors is very insecure, and 
> (b) people won't bother anyway and will self-sign certificates, SSL will wind 
> up being no defence against man-in-the-middle extraction of the encrypted 
> data anyway.
>
> SSL is rarely worth much in practice, in my opinion :-)
>
>
> Joe
>
> _______________________________________________
> Dundi mailing list
> Dundi at lists.digium.com
> http://lists.digium.com/mailman/listinfo/dundi
>

More information about the Dundi mailing list