andrew at andrewcooke.free-online.co.uk
Mon Mar 6 00:00:30 CET 2000
At 04:07 PM 3/5/00 -0600, you wrote:
>>> The only way it's possible to do: Using host signatures.
>> This means nothing to me - what's to stop someone sitting between the two
>> connections to learn host signatures (whatever they are)? Without a
>Only the public part of a host signature is sent. The private part is kept
>secret and used to answer to challenges.
>I have a nice book recommendation on this subject: Applied Cryptography by
>By the way, will you be working on the communications code for Peerpress?
Sorry - I didn't recognise the terminology (despite having read chunks of
Schneier's book). I am not involved in the code.
This is not enough to foil a man-in-the middle attack. If A is talking to
B then M can insert themselves inbetween and send M's public key to A and
B, converting messages on the fly. The only way that I know of around this
(apart from having a shared secret beforehand, in which case why bother
with public keys) is to have a certificate signed by a CA that certifies
the identity. Right at the start of this thread someone said that you
didn't want to use SSL because it involved CAs.
This is a very common problem. If you are aware of more terminology than
me then you must have met this - I am not asking anything very complicated.
So please, what protocol is used to open the connection?
More information about the Peerpress-main