Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

DyKnow

9 bytes added, 14:47, 5 February 2010
Security
=Security=
In the spring of 2009, the [http://www.security.vt.edu/ IT Security Office] and DyKnow were alerted that the login process was unsafe. Passwords are sent by DyKnow over the wire as an [[w:MD5|MD5 hash]] with a static [[w:Salt (cryptography)|salt]] and symmetrically encrypted with [[w:Advanced Encryption Standar|AES]]. While the salted MD5 hash is invulnerable to standard [[w:Rainbow table|precomputation attacks]], the symmetric encryption was performed with key information shared between all clients, allowing for simple decryption if the traffic can be intercepted. Within a month of notification, the issue was worked around at Virginia Tech. Users were instructed to enable SSL for transactions and unencrypted access to the server was shut off. No response from DyKnow on this issue is known of.
If it is preferable for the traffic to remain unencrypted for some time, using [[socat]] as a [[Socat#Cleartext_to_SSL_Tunnel_for_DyKnow|plaintext-to-SSL proxy]] allows the final end of the connection to be encrypted but the initial segment to remain unencrypted.
Anonymous user