[PP-main] Cryptography

Andrew Cooke andrew at andrewcooke.free-online.co.uk
Mon Mar 6 00:00:30 CET 2000


At 04:07 PM 3/5/00 -0600, you wrote:
>>> The only way it's possible to do: Using host signatures.
>
>> This means nothing to me - what's to stop someone sitting between the two
>> connections to learn host signatures (whatever they are)?  Without a
>
>Only the public part of a host signature is sent. The private part is kept
>secret and used to answer to challenges.
>
>I have a nice book recommendation on this subject: Applied Cryptography by
>Bruce Schneier.
>
>By the way, will you be working on the communications code for Peerpress?

Sorry - I didn't recognise the terminology (despite having read chunks of
Schneier's book).  I am not involved in the code.

This is not enough to foil a man-in-the middle attack.  If A is talking to
B then M can insert themselves inbetween and send M's public key to A and
B, converting messages on the fly.  The only way that I know of around this
(apart from having a shared secret beforehand, in which case why bother
with public keys) is to have a certificate signed by a CA that certifies
the identity.  Right at the start of this thread someone said that you
didn't want to use SSL because it involved CAs.

This is a very common problem.  If you are aware of more terminology than
me then you must have met this - I am not asking anything very complicated.
 So please, what protocol is used to open the connection?

Andrew

http://www.andrewcooke.free-online.co.uk/index.html






More information about the Peerpress-main mailing list