Re: Cipher Suites explanation

[Neil Humphreys]

Ashu Sorry another typo - I meant to say 2, I am hoping the certificates take of 2. Which just leaves 1 untackled by NULL-SHA. The question is, is there anything else weak about NULL-SHA other than the lack of privacy.........   thanks again, Neil ----- Original Message ----- From: Ashutosh Jaiswal To: [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 9:19 PM Subject: Re: Cipher Suites explanation Neil Humphreys wrote: My app is a listening server with 2 ports. The less secure one is for performance, when it doesn't matter if someone sees the data being sent, so it is not worth encrypting/decrypting.   The NULL-SHA checksum should take care of requirement 3 then - and the fact that it is SSL (and uses certificates) takes care of 1??? Apart from encrypting the data itself, is there any other reason why NULL-SHA is insecure ?? Your requirement 1 is secrecy (encryption). For encryption you need some form of encryption method to encrypt your plaintext. When there is no encryption method how can you encrypt something and achieve secrecy through it? Ashu   I changed the subject line so that it makes more sense! Neil Humphreys wrote: Hi all, I have an app that requires 2 types of secure communications: -one fully secured channel with encrypted data -one fully secured channel, *except* that the data itself is not secret, and does not need any encryption. Do you mean to say that you have something like a secured protocol (like a pipe) in which you can send data of another protocol (like water inside a pipe)? As far as I know you secure the channel by encoding your entire data stream.   Hence, I would be grateful if someone could spell out what the following cipher suite provides:   DES-CBC3-SHA Digital Encryption Standard-Cipher Block Chaining-Secured Hash (Algorithm) It means that the encryption method is DES (which is really risky to use nowadays unless u don't have any other choice). Cipher Block chaining is a method of encryption using IVs in which your cipher text is arrived by using the previous block. SHA is a checksum algorithm.   that the following one doesn't:   NULL-SHA No encryption (meaning worthless) + only checksum of the data.  I maybe wrong so please correct me.   with regards to the following security features:   1. secrecy (encryption) 2. authentication (sender/receiver validation) 3. prevention of message tampering   One other thing .. once the handshake is over, is there much CPU/network bandwidth overhead in using NULL-SHA, compared with unsecured tcp?   -- http://www.jaiashu.com/ ------------------------------------- "I would like to change the world, but they wont tell me the source code"