Changes

Jump to: navigation, search

DyKnow

245 bytes added, 01:49, 29 November 2009
Security
=Security=
In the spring of 2009, the [http://www.security.vt.edu/ IT Security Office] and DyKnow were alerted that the login process was unsafe. Passwords were being sent over the wire as an [[w:MD5|MD5 hash]] with a static [[w:Salt (cryptography)|salt]], allowing [[w:Replay attack|replay attacks]] and symmetrically encrypted with [[w:Password crackingAdvanced Encryption Standar|password crackingAES]] (but not , while the salted MD5 hash is invulnerable to [[w:Rainbow table|precomputation attacks]]), the symmetric encryption was performed with key information shared between all clients, allowing for simple decryption if the traffic could be intercepted. Within a month, users the issue was worked around. Users were instructed to enable SSL for transactions and unencrypted access to the server was shut off.
If it is preferable for the traffic to remain unencrypted for some time, using [[socat]] as a [[Socat#Cleartext_to_SSL_Tunnel_for_DyKnow|plaintext-to-SSL proxy]] allows the final end of the connection to be encrypted but the middle initial segment to remain unencrypted.
=Patents=
Anonymous user

Navigation menu