blob: 7a6f08a3eeec433e380e8c705f823e621cc47e27 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
\chapter{Authentication methods}
The \tls{} protocol provides confidentiality and encryption, but
also offers authentication, which is a prerequisite
for a secure connection.
The available authentication methods in \gnutls{} are:
\begin{enumerate}
\item Certificate authentication
\item Anonymous authentication
\item SRP authentication
\end{enumerate}
\input{cert_auth}
\section{Anonymous authentication\index{Anonymous authentication}}
The anonymous key exchange perform encryption but there is no indication of
the identity of the peer. This kind of authentication is vulnerable to a
man in the middle attack,
but this protocol can be used even if there is no prior communication and
trusted parties with the peer, or when full anonymity is required.
Unless really required, do not use anonymous authentication.
Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:anon}.
\par
Note that the key exchange methods for anonymous authentication
require Diffie Hellman parameters to be generated and associated with an
anonymous credentials structure.
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
ANON\_DH & This algorithm exchanges Diffie Hellman parameters.
\\
\hline
\end{tabular}
\caption{Supported anonymous key exchange algorithms}
\label{fig:anon}
\end{figure}
\input{srp}
\section{Authentication and credentials}
In \gnutls{} every key exchange method is associated with a
credentials type. So in order to enable to enable a specific
method, the corresponding credentials type should be initialized
and set using \printfunc{gnutls_credentials_set}{gnutls\_credentials\_set}.
A mapping is shown in \hyperref{figure}{figure }{}{fig:kxcred}.
\begin{figure}[hbtp]
\begin{tabular}{|l|l|p{4.5cm}|}
\hline
\bf{Key exchange} & \bf{Client credentials} & \bf{Server credentials}
\\
\hline
\hline
KX\_RSA &&
\\
\cline{1-1}
KX\_DHE\_RSA & CRD\_CERTIFICATE & CRD\_CERTIFICATE
\\
\cline{1-1}
KX\_DHE\_DSS &&
\\
\cline{1-1}
KX\_RSA\_EXPORT &&
\\
\hline
KX\_SRP\_RSA & CRD\_SRP & CRD\_SRP
\\
\cline{1-1}
KX\_SRP\_DSS && CRD\_CERTIFICATE
\\
\hline
KX\_SRP & CRD\_SRP & CRD\_SRP
\\
\hline
KX\_ANON\_DH & CRD\_ANON & CRD\_ANON
\\
\hline
\end{tabular}
\caption{Key exchange algorithms and the corresponding credential types}
\label{fig:kxcred}
\end{figure}
|
