[Verse-dev] Crypto questions
Eskil Steenberg
eskil at obsession.se
Mon Feb 21 20:23:45 CET 2005
Hi, Im in london!
> I believe I have done the necessary changes to use the keys specified in
> Eskil's earlier post for the various stages, now. Feels better. :)
Great!
But as the carefull reader might have moticed in my description there is
aquite big hole in the security system. The host sends its public host id
to the client bet never actiually proves that it has the private key.
To do this the host must encrypt something client provided using its
private key and send it pack to the client. But (here comes the twist) the
host cant decrypt anything the clent asks it to because then the client
can ask it to decrypt othere peoples passwords.
Its not too hard to work out but we need to fix this.
E
More information about the Verse-dev
mailing list