| |
| |
| |
|
Page: 1 2
<AndroSyn> Cdogg: that must have been a happy accident on our part :P
<Cdogg> ;)
<Cdogg> i mean honestly
<Cdogg> anything im like can ratbox do this...
<Cdogg> response is always yes
<Cdogg> im like can i have *** w/ ratbox
<Cdogg> some one will tell me yes
<Cdogg> i might replace my woman w/ ratbox ...
<AndroSyn> you might wish to seriously reconsider that
<Cdogg> yea our kids might be ugly
<AndroSyn> but with the ssl stuff, i'm kinda getting the motivation around to do the ssl stuff in devel..
<Cdogg> ssl isnt very difficult to add in
<Cdogg> just wrap it
<Cdogg> :)
<AndroSyn> well what i'm going to want to implement is something like starttls
<AndroSyn> along with having a dedicated port for it..
<Cdogg> hybrid implemented ssl
<AndroSyn> mind you no clients currently support starttls
<Cdogg> copy and paste :P
<AndroSyn> but there is a good reason for doing it starttls style..
<Cdogg> why is that?
<Cdogg> ratbox supports server to server ssl right?
<AndroSyn> with having a ssl port listening..its really easy to do a denial of service attack against it..
<AndroSyn> the most expensive part of the ssl session is the initial rsa handshake
<AndroSyn> think of say 200 drones hammering at that using ssl
<AndroSyn> no ratbox doesn't support s-s ssl
<Cdogg> no?
<AndroSyn> 1.x supported cryptlinks..
<Cdogg> why does it ask if i want to build w/ openssl?
<AndroSyn> but that wasn't ssl
<AndroSyn> the ssl stuff in 2.x
<AndroSyn> is for /challenge
<Cdogg> challenge?
<AndroSyn> which is public key oper authentication
<Cdogg> ah
<AndroSyn> if you do a /challenge opernick
<AndroSyn> it sends you a string encrypted with your public key
<Cdogg> does he.net run ratbox?
<AndroSyn> and you have to send back the decrypted string
<AndroSyn> yup it does
<AndroSyn> mind you i have some serious reservations about the /challenge stuff
<Cdogg> k friend of mine is oper there
<AndroSyn> as an attacker if sniffing the session..
<AndroSyn> can get both ciphertext and plaintext
<Cdogg> then whats the point :/
<AndroSyn> tbh, i'm not sure :P
<Cdogg> even more reason why to include ssl
<Cdogg> :)
<anjuta> tha attacker will still need the private key
<Cdogg> ah
<anjuta> imho, of course
<AndroSyn> anjuta: you end up with both the plaintext and ciphertext..
<anjuta> the cypher text is encrypted using the public key
<Cdogg> AndroSyn you tested it?
<anjuta> if i'm correct
<AndroSyn> anjuta: and then you send back to the server the decrypted text :P
<AndroSyn> i haven't tested it, but from a cryptographic viewpoint its a dumb idea :P
<anjuta> but.. isn't this text always different ?
<AndroSyn> yes, but you've got what the text looked like before and after
<anjuta> if it's different, then this is a non-issue, otherwise you have big problems :)
<AndroSyn> its going to be different..
<AndroSyn> but that just means the next time you sniff it..
<AndroSyn> its even easier to figure out the keys
<anjuta> you still miss the public key
<anjuta> and the public key is a multiply of 2 big prime numbers
<AndroSyn> i know what the public key is..
<anjuta> umm, how come ?
<AndroSyn> but you have a complete and total breakdown of the system
<AndroSyn> read up on plaintext attacks
<anjuta> the oper is sending it in ?
<AndroSyn> yes
<AndroSyn> challenge works like this..
<AndroSyn> server generates a random string
<AndroSyn> encrypts it with your public key
<AndroSyn> you receive this, decrypt it
<anjuta> it would be smarter if the public key is stored in the server config
<AndroSyn> and send it back to the server
<AndroSyn> it *is*
<AndroSyn> you send the server back what you just got..
<AndroSyn> decrypted
<AndroSyn> its a perfect known plaintext attack
<AndroSyn> aka *pointless*
<AndroSyn> http://en.wikipedia.org/wiki/Known-plaintext_attack
<Cdogg> ****in wiki
<AndroSyn> heh
<anjuta> humm
<anjuta> i better dig back to my cryptography books
<AndroSyn> heh
<AndroSyn> i forget who did the challenge thingy..
<AndroSyn> but they should be cockslapped
<AndroSyn> what they *should* have done was
<AndroSyn> have the server send ciphertext..
<AndroSyn> oper decrypts and then does a md5sum or sha1sum or something on the decrypted data
<AndroSyn> and then sent back the checksum
<anjuta> that would be smarter..
<sjk> androsyn-challenge.patch
<sjk> 8)
<AndroSyn> probably will use sha256
<anjuta> yeah.. sha1 has too much collisions :)
<AndroSyn> that wasn't too hard..just need to see if it works now
<AndroSyn> i'm not sure who thought it would be a good idea to send the plaintext..
<AndroSyn> ffs
<jilles> also it's stupid you can't use an RSA key longer than 1024 bits
<AndroSyn> that should be easy to fix as well..
<jilles> it should use base64 instead of ASCII hex digits
<jilles> this still seems a homebrew crypto thing
<AndroSyn> yeah
<AndroSyn> it very much is
<AndroSyn> its just as secure as using a plaintext oper p***word
<jilles> I doubt it's very useful to replace homebrew crypto #1 by homebrew crypto #2
<AndroSyn> well i think that it can be made somewhat more functional than it currently is
<jilles> and what's the difference between what you say about known plaintext attacks and conventional pubkey signing
<jilles> the latter transmits M, E_priv(H(M))
<jilles> you still have some point: in the current /challenge protocol the oper acts as an oracle that decrypts any (small) string for you
<jilles> although the whole thing is not designed to protect against active attacks...
<AndroSyn> i think at least using a hash of the plaintext is slightly better than what its doing currently
<AndroSyn> its still not real great either
<AndroSyn> the best solution would be doing oper authentication using ssl with client and server certificates
<jilles> yes
<AndroSyn> which i do have plans on doing
<AndroSyn> once in a while the openssl guys still bug me about that
<AndroSyn> they use ratbox on their private network and which they didn't have to use stunnel
<AndroSyn> :P
<AndroSyn> though for what it does..i guess a sha256 response to a challenge should be okay?
<Cdogg> hehe i sparked some life into chan
<dougk_ff7> hrm, I must say, ratbox-services is nice, but help leaves much to be desired... a lot of it will confuse newbies like crazy
<jilles> for newbies there is the user introduction, which is unfortunately not in the tarball, only on the web site
<dougk_ff7> yeah
<dougk_ff7> it's just kinda like "oh, here you go" and the errors are not too informative.
<dougk_ff7> (such as, "not logged in" for registering without logging in as a user first...)
<Cdogg> i havent even setup for services yet
<Cdogg> is services an extra package
<jilles> yeah nickserv register when not logged in should suggest userserv register
<Cdogg> or do i just configure with services?
<jilles> services is a separate package
<dougk_ff7> that howto is very nice, though... will drop that in somewhere :D
<dougk_ff7> but, if you --enable-services, some code ewill be enabled to make it work better, from my understanding
<jilles> --enable-services is strongly recommended if you run services
<jilles> ***uming the services you run support the extensions
<dougk_ff7> (couldn't hurt, at least.)
<jilles> yup
<AndroSyn> jilles: your comment about signing vs encrypting with rsa keys..thats why they don't recommend using the same keys for signing and encrypting
<AndroSyn> and by default gpg doesn't use the same keypair for both
<AndroSyn> well..challenge works with a 2048 bit rsa key now
<Cdogg> how do i launch services?
<Cdogg> how do i specify the config file
<Cdogg> seems like its loading and dying asap
<Cdogg> yea its dying each time
<AndroSyn> chekc the log files?
<Cdogg> doh
<Cdogg> lol
Return to ratbox
or
Go to some related
logs:
efnet audio app
football
|
|