 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2008Encryption scheme using RSA
Hi, in my company we are using a proprietary clear text protocol to do the communication between client and server for a product of ours. The protocol requires authentication, but login and password pass on the network in clear text. We want to modify the protocol in order to protect at least the password. The scheme we invented is the following: - CLIENT connects - SERVER generates an RSA key pair and sends the private key to CLIENT - SERVER generates a random number and sends it to CLIENT - CLIENT obfuscate the password bits using the random number ( in a reversible way!), encrypt the result with the public key and sends the encrypted stuff to SERVER - SERVER decrypts with private key, un-obfuscate and obtain the password of CLIENT. - SERVER validate the password and allows/denies access I know it not a standard way to use asymmetric encryption, but I would like to hear from you what the main flaws are in this idea. Thanks in advance jaqq How do you want to protect the clients against spoofed servers? In other words - there are no server authentication bits in your scheme. Why don't you simply wrap the whole (clear text) protocol in an SslStream? ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Hi, > [quoted text clipped - 26 lines] > Thanks in advance > jaqq here are some more details which explain our choices: suppose there is no way for an attacker to perform active attacks (man- in-the-middle, connection hijacking, setting up a spoofed server, etc.). The only thing he can do is to sniff the network traffic, trying to steal passwords for a later use. My schema is intended to prevent this only risk, nothing more. So I have only been careful about: - the password bits which travels on the network must be encrypted; - on every new connection, bits which are exchanged during authentication must be completely different, in order to prevent replay attacks We are trying to implement a minimum effort solution in order to raise a bit the security level of the system. More standard and powerful solutions are currently unfeasible because of several reasons (tight deadlines, concerns about speed of execution, and also some politics). Thanks for any other comment you can give On Jan 9, 1:43 pm, Dominick Baier <dbaier@pleasepleasenospam_leastprivilege.com> wrote: > How do you want to protect the clients against spoofed servers? In other > words - there are no server authentication bits in your scheme. [quoted text clipped - 36 lines] > > Thanks in advance > > jaqq fair enough. In this case your scheme looks good to me. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > here are some more details which explain our choices: > [quoted text clipped - 60 lines] >>> Thanks in advance >>> jaq On Jan 10, 3:36 pm, gianluca.orte...@nsn.com wrote: > here are some more details which explain our choices: > [quoted text clipped - 16 lines] > > Thanks for any other comment you can give Clearly, you have little experience with cryptography and secure protocol design (judging by funny mistake "Private" instead of "Public", as welll as bad protocol design and the fact that you ask that question here ;) Using SslStream, as it was suggested by Dominic, will only save you your development time (it will probably be faster than implementing your own schema) and it will save you embarrassments from the problems of your totally flawed schema. -Valery. OK, but can you detail your "totally flawed" in some points (except for the private/public mistake)? for example, in which ways could an attacker break this schema? About the alternative solutions, the decision is not completely up to me. Otherwise I would have enthusiastically embraced an SSL or SSH solution. gianluca On Jan 11, 2:55 pm, gianluca.orte...@nsn.com wrote: > OK, but can you detail your "totally flawed" in some points (except > for the private/public mistake)? for example, in which ways could an [quoted text clipped - 5 lines] > > gianluca First of all - there was no definition of the scheme, just some mumbling that only give very vague idea about what you want to do. But even from that it is clear to see that many active attacks (with man in the middle) break the scheme completely. (f.e. attacker pretends to be a server and after one single answer from your client, attacker already knows everything about how to authenticate him/her self to a real server). Even if we forget about the most devastating attack on your "protocol" when attacker is able to intersect communication between client and server and replace server's public key with attackers' own public key - you still have lots of extra openings for new attack on your protocol. Take for example your "reversible obfuscation of the password". How do you "encrypt reversibly obfuscated" password? Is it RSA encrypted or RSA enveloped? If it is RSA encrypted, what padding scheme you use? If you use good padding - what is the reason for you "reversible obfuscation of password"? Your obfuscation can not improve security of your protocol, but it can however introduce a lot of weaknesses! Since it is reversible you have to assume that algorithm is known to attacker (see Auguste Kerckhoff's 6 rules of secure system design that he expressed in 1883!). That means that control over "a random number that is sent from server" gives attacker possibility to do lots of extra bits twigging and open lots of new vectors of attack. What you wrote was not(!) in any way description of secure protocol. You want to see how secure protocol is described - check definition of standard security protocols! But remember that even with these protocols, lots of things are still omitted from the description (such as some security proofs and assumptions), but assumes familiarity with articles referred from the standard protocol description. -Valery Valery! Good to know you are alive. Could you ping me with your new email address? ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > On Jan 10, 3:36 pm, gianluca.orte...@nsn.com wrote: > [quoted text clipped - 28 lines] > of your totally flawed schema. > -Valery. well - yes - i assumed that the public/private was a typo...;) ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > On Jan 10, 3:36 pm, gianluca.orte...@nsn.com wrote: > [quoted text clipped - 28 lines] > of your totally flawed schema. > -Valery. Also - anybody could hijack an existing connection after the initial auth handshake. ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > Hi, > [quoted text clipped - 26 lines] > Thanks in advance > jaqq Hello! You wrote on Wed, 9 Jan 2008 02:04:14 -0800 (PST): go> - SERVER generates an RSA key pair and sends the private key to CLIENT Did you mean "sends the PUBLIC key to ..."? In general, I am wondering why not use one of the established schemes which give you the definitely reliable result. Now you think that MITM attacks are not possible, and later you get one ... With best regards, Eugene Mayevski http://www.SecureBlackbox.com - the comprehensive component suite for network security Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.