[Owasp-delhi] SSL Broken..

Karthik Muthukrishnan karthik.muthukrishnan at tcs.com
Wed Jan 14 05:20:28 EST 2009


> salted MD5 hashing protects the authentication credentials rightly from 
eavesdropping on the network.
Salting is used to protect MD5 hashes from rainbow table attacks. 

> SSL does the same thing.
Yes, SSL is used to ensure confidentiality and trust in the network 
communiation. Confidentiality (or prevention of network eavesdropping) is 
ensured by encryption. Trust is accomplished by Server and/or client 
certificates.

> However, in some scenarios SSL might not be feasible. For example, 
causing heavy load on the server or may be some applications don't support 
it, etc.
In such cases SSL Accelerators are used. They are devices which can be fit 
into the architecture without changing the application or affecting the 
load on the application server.

> We can protect the authentication credentials using salted MD5 hashing 
or by using SSL.
To protect authentication credentials in HTTP, we have to rely on SSL. 
Hashes are a secure (aka not in clear text) way to store authentication 
credentials.

> In order to protect the Session credentials (Session ID, tokens, 
cookies, etc) on a non-SSL channel what measures can be taken?
To protect either auth or session credentials we have to ensure 
confidentiality of the communication channel. If we dont use HTTPS, then 
VPN might be another option. While authentication credentials can be 
protected by some challenge handshake mechanism (similar to CHAP), we 
would need to protect session creds by encrypting the channel. 

Karthik
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090114/24a923b4/attachment.html 


More information about the Owasp-delhi mailing list