[proposed fix] tinc has a security hole
Ivo Timmermans
zarq at spark.icicle.yi.org
Sun Aug 27 16:44:25 CEST 2000
Ivo Timmermans wrote:
> Sending your passphrase encrypted is all fine, but tinc sends the key
> with which it was encrypted about a second later...
What about we establish a shared secret key like we normally do, and
then transmit the passphrase encrypted with the secret key? I can't
remember why we did it the way it is...
And while we're at it, why not just encrypt everything?
like this:
client server
1 connects to server
2 accepts connection, send HELLO
3 send PUBLIC KEY
4 send PUBLIC KEY
From now on, everything can be encrypted.
5 send BASIC INFO
6 send BASIC INFO
7 send PASSPHRASE
8 send PASSPHRASE
9 connected connected
--
Ivo Timmermans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc-devel/attachments/20000827/bbb6fcdb/attachment.pgp
More information about the Tinc-devel
mailing list