[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Ray Dillinger
bear at sonic.net
Tue Aug 4 14:14:36 EDT 2015
On 08/04/2015 07:29 AM, Carlo Contavalli wrote:
> Sharing the cookie / encryption / ... across multiple requests /
> responses should not be hard, similar to SSL session reuse?
I consider SSL session reuse to be a vulnerability. It gives
an attacker additional time to break the SSL key before cutting
in with a "reuse".
We have already seen downgrade attacks that put SSL keys within
reach given an amount of compute power that can be achieved by
a modest cluster in a matter of a few minutes. Session reuse
can give an attacker literally hours to break an SSL key.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150804/a30c1b64/attachment.sig>
More information about the cryptography
mailing list