W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

RE: Password change via HTTP

From: Steve Parker <sparker@well.com>
Date: Mon, 14 Jun 1999 21:13:16 -0700
To: "'Ben Laurie'" <ben@algroup.co.uk>
Cc: "'Alex Kodat'" <ALEX@SIRIUS.sirius-software.com>, <hallam@ai.mit.edu>, <http-wg@hplb.hpl.hp.com>
Message-ID: <001801beb6e5$65443f10$0100a8c0@steve.well.com>
> From: Ben Laurie [mailto:ben@algroup.co.uk]
> Err? And who leaves their private key lying around unencrypted?
That's the question I would have asked myself until recently.
Doesn't help (well, just a slight delay) - see Shamir and van
Someren's paper "Playing hide and seek with stored keys", delivered
to this year's Financial Cryptography conference: "We describe efficient
algebraic attacks which can locate secret RSA keys in long bit strings,
and more general statistical attacks which can find arbitrary cryptographic
keys embedded in large programs. These techniques can be used to apply
lunchtime attacks on signature keys used by financial institutes, or to
defeat authenticode mechanisms in software packages." Shamir is the S in
RSA.
Useful tips on how to recover cryptographic keys from Windows NT can be
found at Peter Gutmann's pages:
http://www.cs.auckland.ac.nz/~pgut001/index.html
>
> > Also, how can I be sure that the "client" serving up the
> > certificate is the endpoint? A toolkit like WIDL would appear to
> > provide a screen scraping capability for http which effectively
> > creates a potential proxy, of which I, at the server end have
> > no knowledge. Even if I have a cryptographically secure tunnel,
> > and have a certificate, how do I know that someone hasn't added
> > their own plumbing to the client?
>
> Why do you care?

If I trust the certificate alone, then I am mistakenly trusting a
program, not an individual ... then I have delegated authentication
to that program.

> What were you planning to add to certs+crypto to make it more secure?
I don't have a perfect answer. I would at least add passwords. And not
use NT.

Unfortunately, there is no plateau with security, and no soundbyte
solution.

> Cheers,
>
> Ben.
>
Regards,

Steve
Received on Tuesday, 15 June 1999 05:16:28 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT