Oracle Advanced Networking Option Administrator's Guide | Library |
Product |
Contents |
Index |
These enhancements are described in this appendix, along with information on how to configure them.
A key is a secret shared by both sides of the connection and by no one else. Without the key, it is extremely difficult to decrypt an encrypted message or to tamper undetectably with a crypto-checksummed message. Diffie-Hellman is subject to a particular computationally-expensive table-based attack. Site-specific Diffie-Hellman, on the other hand, lowers the effectiveness of this attack by enabling the Diffie-Hellman parameters at each site to be changed frequently.
The system administrator can lessen the consequences of this attack by running a parameter generation program called naegen to change the default Diffie-Hellman parameters. The Advanced Networking Option server will then use the modified parameters to establish a Diffie-Hellman session key with the Advanced Networking Option client. If the Diffie-Hellman parameters do not exist, the Advanced Networking Option server will use its default parameters.
You can use the naegen utility to generate the new Diffie-Hellman parameters. naegen takes as an argument either zero or an integer argument in the range of 256 to 512, for example:
naegen 300
This argument represents the number of bits in those parameters. If you do not provide an argument to naegen, naegen generates 512-bit parameters. If a number lower than 256 is provided as the argument, naegen will generate 256-bit parameters. Once it has generated the parameters, naegen stores them in snsdh.ora which is then read by the Advanced Networking Option server to be used in key negotiation. Note that every time the administrator runs naegen, the values in the snsdh.ora file will be different.
If you are using a 40-bit key such as RC4_40, you should provide naegen an argument of 300 or greater. If you are using a 56-bit key such as DES, you should provide an argument of 512.
Although using different Diffie-Hellman parameters for each connection is preferred for better security, it is not feasible because naegen can take up to 4 minutes to generate the necessary parameters, depending on the parameter size. Therefore, it is recommended that network administrators generate the parameters once a day. Optionally, you could generate the parameters once a week or once a month.
The client and the server begin communicating using the session key generated by Diffie-Hellman. When the client authenticates itself to the server, there is a shared secret that is only known to both sides. The Advanced Networking Option then combines the shared secret and Diffie-Hellman session key to generate a stronger session key that would defeat the middle-man, who has no way of knowing the shared secret.
Prev Next |
Copyright © 1996 Oracle Corporation. All Rights Reserved. |
Library |
Product |
Contents |
Index |