On Mon, 10 Mar 2003 18:00:28 -0500 "James P. Roberts" <punster@???> wrote:
> I don't suppose there is any way to ONLY encrypt the AUTH step, and not
> bother
> to encrypt email data?
you can use the SMTP AUTH modes like CRAM-MD5 that provide a measure of
security for the authentication step, if that's all you want.
SMTP-over-TLS does exactly that. there's no reason to go to the trouble to
cut it down given that encrypted authorization methods exist.
> I am sure that is a minor piece of the
> pie,
> and the bulk of the exercise is in negotiating the encryption keys.
ding ding ding ding ding. the RSA or DSA step is much more expensive than
the symmetric encryption of the communication stream with 3DES or AES or
RC4 or whatever. that's why we don't use RSA or DSA to encrypt the stream,
but just to provide shelter for the key negotiation.
> Although not
> identical content (only one session has the user/pass, for one thing!),
> if it
> is long enough, I bet it could be cracked, and thus the original
> user/pass
> combo retrieved.
not that easy. the designers of modern crypto schemes are smarter than
that.
richard
--
Richard Welty rwelty@???
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security