On Wed, May 29, 2002 at 04:21:42PM -0000, Shalendra Chhabra wrote:
> Will someone tell me
> 1. what is an engine for? WHy we have an Engine also on the
> openssl site for download?
This question is answered in the FAQ.
> 2. I want to try something like this:
>
> I have two computers one client and a server
> and I enable communication between them using openssl
> I am confused:
>
>
> a)-How will I know which version of the SSL they are using (Which
> Data Structure, which Function) in the openssl lib
> b)-If by changing the ans of a)- I can enable the communication
> between them using SSL v2.0, SSL v3.0 and TLS and any
> combinations, I want to try an attack(s) using third machine
> Can someone tell me whether someone has already tried this. Well
> this will just mean to test an existing implementation of SSL
> (implemented by Openssl)
The SSL API is more or less completely documented.
> I want to do this because
> 1. I am fed up of readig and reading that like a ciphersuite
> version rollback attack, this attack
> SO I want to do it practically
Good luck.
> 2. Also because much of research work and my Internship Project
> depends upon this exercise
> Any suggestions, advise comments are welcome
Obtain a decent book, like Eric Rescorla's excellent introduction
to the topic. If it comes to more distinguished items, you may use
google (replace with your favorite search engine) to find works about
it. You will easily learn, that a lot of attacks are easily discussed
but still difficult to realize. The rollback attack intends to force
the peers to handshake on an older protocol. The idea behind it is, that
when an old protocol has a security problem, one can force the peers to
use the old protocol and than attack it.
* SSLv2 may not be the best solution, but that doesn't make it easily
hackable. Thus even if the rollback attack would succeed, you still would
not be able to break the security.
* The rollback attack is being thought of during the design of TLSv1.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
