LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] SSH dictionary attacks.

[ILUG] SSH dictionary attacks.

Aine Douglas aine.douglas at gmail.com
Thu Aug 24 14:39:23 IST 2006 

On 8/24/06, Nick Murtagh <nickm at go2.ie> wrote:
> Colm MacCarthaigh wrote:
> > Why wouldn't openssl be able to do it?
>
> That's what I was wondering. Is there someway for ROS to detect that the
> pkcs12 file has been altered (eg a using a MAC - there is some reference
> to this in the openssl pkcs12 man page)?

A pkcs12 file in microsoft windows gets opened by internet explorers
certificate management system, and therefore it is important that the
password you use on a pkcs12 file isn't actually the password, thus
eliminating the potential security problem of someone importing a
legal signing key into a weak key management store.

The password you set on your ROS cert is XOR'd and the last bit
flipped, and thats the actual password for the file. Or at least it
was in the baltimore implementation, haven't verified it since Lan
communications re-engineered the system.

So your ROS java applet does that operation on the password you enter
before applying the password to the security libraries, and similarly,
if you change the password, once your password passes the policy
requirements, it is xor'd and the last bit flipped and applied to your
P12 file, and a copy of the cleartext password sent back to the ROS
system over PKIK communication where it is archived for customer
support reasons.

And just to clear it up, I don't work for Revenue / Ros / Accenture /
Baltimore / Lan communication and have no association with any of the
above nor have I ever had... the above was found through decompilation
of their applet, and refactoring the code obfucation.

So... if you want to manage users passwords for certificate files, you
need to wrap with something like that which uses software traps to
archive passwords etc if necessary. Its really what PKI is all about,
scnearios and policies and mitigating the risks. The joys of
opensource software is that this can easily be implemented in an
organisation without having to invest heavily in employing a large PKI
implementor!

HTH,

Aine.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell