delta/python-packages/pycrypto.git - github.com: dlitz/pycrypto.git

diff options


context:
space:
mode:

Diffstat (limited to 'pipermail/pycrypto/2009q1/000068.html')

-rw-r--r--

pipermail/pycrypto/2009q1/000068.html

129

1 files changed, 129 insertions, 0 deletions

diff --git a/pipermail/pycrypto/2009q1/000068.html b/pipermail/pycrypto/2009q1/000068.html
new file mode 100644
index 0000000..2d98d3e
--- /dev/null
+++ b/pipermail/pycrypto/2009q1/000068.html

@@ -0,0 +1,129 @@

+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">

+<HTML>

+ <HEAD>

+ <TITLE> [pycrypto] Quick and Easy Email Authentication

+ </TITLE>

+ <LINK REL="Index" HREF="index.html" >

+ <LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20Quick%20and%20Easy%20Email%20Authentication&In-Reply-To=5.2.1.1.0.20090201143122.03f7e130%40plus.pop.mail.yahoo.com">

+ <META NAME="robots" CONTENT="index,nofollow">

+ <META http-equiv="Content-Type" content="text/html; charset=us-ascii">

+ <LINK REL="Previous" HREF="000060.html">

+ <LINK REL="Next" HREF="000069.html">

+ </HEAD>

+ <BODY BGCOLOR="#ffffff">

+ <H1>[pycrypto] Quick and Easy Email Authentication</H1>

+ David MacQuigg

+ <A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20Quick%20and%20Easy%20Email%20Authentication&In-Reply-To=5.2.1.1.0.20090201143122.03f7e130%40plus.pop.mail.yahoo.com"

+ TITLE="[pycrypto] Quick and Easy Email Authentication">macquigg at ece.arizona.edu

+ </A>

+ Wed Feb 11 09:41:54 CST 2009

+ <UL>

+ <LI>Previous message: <A HREF="000060.html">[pycrypto] Quick and Easy Email Authentication

+</A></li>

+ <LI>Next message: <A HREF="000069.html">[pycrypto] Quick and Easy Email Authentication

+</A></li>

+ <LI> Messages sorted by:

+ <a href="date.html#68">[ date ]</a>

+ <a href="thread.html#68">[ thread ]</a>

+ <a href="subject.html#68">[ subject ]</a>

+ <a href="author.html#68">[ author ]</a>

+ </LI>

+ </UL>

+ <HR>

+

+<PRE>I think there is a fundamental problem with what I am proposing below.

+The cipher text (authcode) has to be much longer than the four bytes I've

+shown in the example, or it will be trivial to break. Before giving up

+on this approach, I thought I would check with the crypto experts on this

+list. Am I missing something simple, maybe a different algorithm than

+RSA, maybe some way to do this with hashcodes? If we can solve this

+problem, it could lead to a robust, no-exceptions policy on

+authentication of SMTP mail sessions.

+Let me try to state the problem in more fundamental terms. A stranger

+says HELO this is f33faf76.mailout09.arizona.edu. The only other

+information you have to verify that claim is a DNS text record at

+mailout09.arizona.edu. That record can hold up to 480 bytes of text.

+The authcode can be a little longer than f33faf76, but the longer we make

+it, the less likely senders will use it in their HELO commands. The

+shorter we make it, the more likely forgers will be able to produce a

+valid authcode by brute force methods. A lot depends on how long we

+expect the authcode to remain valid. The scheme I suggested below

+returned a timestamp valid for only a few seconds, making it impractical

+to try 2**32 possible authcodes. Yes, I know it can be done with

+massively parallel processors, but our requirement is only enough

+security to quickly screen out 99% of the forged IDs presented by petty

+criminals. More secure sites can add additional checks, including a

+digital signature on the entire message.

+-- Dave

+************************************************************ *

+* David MacQuigg, PhD email: macquigg at ece.arizona.edu * *

+* Research Associate phone: USA 520-721-4583 * * *

+* ECE Department, University of Arizona * * *

+* 9320 East Mikelyn Lane * * *

+* <A HREF="http://purl.net/macquigg">http://purl.net/macquigg</A> Tucson, Arizona 85710 *

+************************************************************ *

+At 04:30 PM 2/1/2009 -0700, David MacQuigg wrote:

+>I'm working on an email authentication system that needs a little more

+>security. The idea is that a sender will include an authentication code

+>in the very first command to request an email session. For example,

+>arizona.edu might include the code 'f33faf76' as in:

+>.

+>. HELO IDf33faf76.mailout09.arizona.edu

+>.

+>The receiver can then verify that this is not a forgery by getting a DNS

+>record from mailout09.arizona.edu. The simplest way to do this is for

+>arizona.edu to publish that code verbatim, and change it frequently. It

+>won't take long, however, for the crooks to modify their zombies to query

+>the DNS records at the victim domain, and use the same code in their

+>forged HELO commands.

+>

+>So what we really need in the sender's DNS record is not the actual code,

+>but a public key that can be used to decrypt the code and prove not only

+>that it was generated by the alleged sender, but it was generated

+>recently, like within a few seconds of when the HELO command was sent.

+>

+>I'm trying to figure out how to do this with PyCrypto, but the API

+>documentation is not much help. It would be nice to have an example

+>showing encryption and decryption using RSA.

+>

+>Here are the stub functions I'm using:

+>.

+>. def encrypt(plaintext, privkey):

+>. return 'f33faf76'

+>.

+>. def decrypt(authcode, pubkey):

+>. return '315:14:45:03' # day:hour:minute:second

+>.

+>Help will be greatly appreciated. I'll be glad to help with

+>documentation, once I understand how this package is used.

+

+</PRE>

+

+ <HR>

+ <UL>

+

+ <LI>Previous message: <A HREF="000060.html">[pycrypto] Quick and Easy Email Authentication

+</A></li>

+ <LI>Next message: <A HREF="000069.html">[pycrypto] Quick and Easy Email Authentication

+</A></li>

+ <LI> Messages sorted by:

+ <a href="date.html#68">[ date ]</a>

+ <a href="thread.html#68">[ thread ]</a>

+ <a href="subject.html#68">[ subject ]</a>

+ <a href="author.html#68">[ author ]</a>

+ </LI>

+ </UL>

+<hr>

+<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto

+mailing list</a>

+</body></html>