| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| MQ5.3 All Platforms / SSL: does MQ switch symmetric keys? |
« View previous topic :: View next topic » |
| Author |
Message
|
| hopsala |
 Posted: Sun Mar 13, 2005 9:01 am Post subject: MQ5.3 All Platforms / SSL: does MQ switch symmetric keys? |
 |
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
My question is simple, but I fail to find the answer in MQ Literature:
SSL, as a general rule and in MQ channels in particular, first goes through a process of negotiation, which makes sure the right person is talking to the right person. This is done using digitally signed certificates, encripted with public-private pairs etc etc.
After all this, the SDR-RCVR pair exchange a randomly generated symmetric key and from then on use this key to encrypt the transported messages (at packet, Not message, level). So far goes the literature.
My q: Does MQ change symmetric key every set time period, and if so, where's the proper parameter?
(This is necessary to prevent someone from using a brute-force technique to crack the symmetrical key. If key is changed evert 1 hour or so, the chances someone will crack it in so short a time is small. If, however, a sessions is maintained for over a week, a simple sniffer PC could probably crack it) |
|
| Back to top |
|
 |
| malammik |
| Posted: Mon Mar 14, 2005 8:33 am Post subject: |
|
|
Partisan
Joined: 27 Jan 2005
Posts: 397
Location: Philadelphia, PA
|
As far as I can see, MQ does not do anything in regards to refreshing master secret or any of the encryption keys probably because the risk you have described above is handled well in SSL 3.0. Master key a 48 byte secret established as part of the handshake is then used to create separate encryption keys and MAC keys. The encryption key will be compatible with what whatever you have chosen as you symmetric cipher spec. I recommend using AES. If you concerned about somebody not just reading ur data but also changing it, the intruder would have to break the MAC key as well in ADDITION to encryption keys. If connetion or session is restared, Server and Client generate randorm numbers and re-calculate new keys. More details here.
http://wp.netscape.com/eng/ssl3/draft302.txt
_________________
Mikhail Malamud
http://www.netflexity.com
http://groups.google.com/group/qflex |
|
| Back to top |
|
|
| Michael Dag |
| Posted: Mon Mar 14, 2005 1:44 pm Post subject: |
|
|
Jedi Knight
Joined: 13 Jun 2002
Posts: 2607
Location: The Netherlands (Amsterdam)
|
I heard somewhere the key is valid for the duration of the active channel.
So if you have long running channels the keys don't change and can be decoded in time.
To refresh the key you would need to stop/start the channel regularly
_________________
Michael
MQSystems Facebook page |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
