lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


PA wrote:

I would like to simulate a public key infrastructure on the cheap for authentication purpose... for example, two applications communicate over SMTP and the server would like to authenticate the client...

[snip]

To validate a signature, the server call back the client with both the original banner value as well as the signature it has received. The client can then validate the signature by encrypting the value with its private key and see if it matches.

If the client is in charge of validating the signature, where is your authentication? Are you worried about connection interception? Your protocol seems like it is very vulnerable to an intruder listening on the network who could impose as either one of the players.

As the others have pointed out, there is more to a secure protocol than throwing together lots of hashes and encryptions. You took out the shared secret; do you know what role it plays? Why is it important? Does your protocol allow client authentication to the server? What about server authentication to the client? Do you care about either/both of these? Cryptography is only a portion of the problems when it comes to protocols. Even a protocol that uses (theoretically!) unbreakable cryptography can be very vulnerable to imposture or authentication failure.

--
~David-Haley
http://david.the-haleys.org

p.s. Hi everybody! :-) I've been lurking for a while. The comments on
this list have been very useful in furthering my understanding of how
things should be done in Lua (i.e. the "Lua Way".) Thank you to all and
especially to the developers of this very fine language.