Re: Certificate/Key for Encryption Only?

[Victor Duchovni]

On Tue, Oct 02, 2007 at 08:43:04AM -0700, David Schwartz wrote:

> 
> Andreas71 wrote:
> 
> > I'm creating a web service in Erlang, using OpenSSL. I want the clients to
> > communicate with the server over SSL. I'm only interested in the
> > encryption
> > part of SSL, so I don't need any certificates signed by Verisign/etc to
> > verify that the server really is The Server. The service will be installed
> > on many different servers (50-100).
> 
> It's hard to understand how this could make any sense. What good is
> encryption is you have no idea *who* can decrypt the data?
> 
> I need to send a secret message, but I don't care *who* I send it to, so
> long as only they, whoever they are, can decrypt it?!

If the risk model somehow excludes active attackes, and only needs to
deal with passive eavesdropping, this may be a legitimate approach.

Though frequently, the model where "encrypted == secure" is in fact
naive user error, not careful threat analysis, TLS does in fact support
encryption without authentication via the various ADH ciphers.

    $ openssl ciphers -v 'aNULL:!eNULL:!EXPORT:!LOW'
    AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
    AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
    AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
    AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
    ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
    ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
    ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
    ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5

The cipherlist above gives you reasonably "secure" anonymous encryption
with no certs. Of course the "secure" in question is against a specific
threat model, that likely is not based on the right set of attacks.

Given that most SMTP servers have self-signed certs, and SMTP clients by
default don't (and because of MX records can't securely) authenticate
the SMTP servers for the target email domain, Postfix will by default
negotiate anonymous ciphers if supported by both sides. Only when the
SMTP client is actually checking the peername in the cert, or when the
server wants client certs will Postfix insist on non-anonymous ciphers.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]