> I'm a bit of a newbie and am trying to get some clarification and better
> understanding on an issue (spurred by Seifred's controversial article):
>
> How does using Stanford SRP solve (or does it?) verification, the MITM
> problem, and need for a CA?
> http://www-cs-students.stanford.edu/~tjw/srp/project.html
>
> -Sean
Please don't send separate posts with the same question to multiple
lists. Response copied form openssl-dev
The man in the middle problem is solved by having the SSL/TLS finished
messaged verified as part of the SRP authentication process. If there
is a MITM the the server will not have the correct client finished
message, and the client will not have the correct server finished
message. The failure to include the correct data in the SRP exchange
will result in an authentication failure.
A similar technique is used with Kerberos 5. When using Kerberos 5,
the finished messages are verified by transmitting them encrypted in
the Kerberos 5 session key which can only be known to the client and
server.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
[EMAIL PROTECTED] OpenSSL. SSH soon to follow.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
