[AG-TECH] Security in AG

Robert Olson olson at mcs.anl.gov
Tue Aug 17 13:21:29 CDT 2004 

>- This is done by certificates?

Yes, the AG software uses X.509 identity certificates for the purposes of 
authenticating communications endpoints.

>* After I notice someone has broken in to my venue, I can "blacklist"
>him/her, or rather that particular certificate.

Yes, by manipulating the access control for that venue.

>* I can also beforehand deny anyone access to my venue except certain
>certificates, some selected persons that I want to allow in? They must
>already have access my venues so I can have a handle on their
>certificates?
>Or do I only need them to tell my their distinguished name?

You need to know the DN.

>* If someone is not allowed entrance, his/her VenueClient doesn't receive
>the multicast addresses from the venue so he cannot connect to the venue.

Correct.

>"Impossible" to guess the multicast addresses. But what if he knows them?
>If they are static, and somehow he knows, either because he already has
>connected to it (a former client perhaps) or because it is stated on my
>website or something. What stops him from just starting VIC and RAT and
>listening to all my confidential conversations?

The multicast addresses themselves cannot be made private; the information 
about active multicast groups is available for perusal in network routers 
if you know where to look.


>- Encryption key?
>
>* Are the video/audio streams encrypted? Hashed up and sent that way
>through the network? No one can decypher them unless he has the key? How
>is that key known by all parties? Who sets that key?

The streams are encrypted, yes. The key is set by the manager of the Venue, 
and is maintained in the Venue. Keys are distributed to clients that are 
allowed access via the access control mechanism.

>* So if "a bad guy" guessed (knew) my multicast addresses he still would
>not see/hear my meetings unless he also knew the encryption key?

Correct.

>* Why aren't I ever asked for an en(de)cryption key when I enter venues?

The Venues software manages that for you.

>Please answer some (all) of those questions, and all the others I forgot
>to ask as well :)

:-). I think that covers it; please feel free to ask more if anything is 
unclear.

--bob
--bob

More information about the ag-tech mailing list