[AG-TECH] Security in AG

Wed Aug 18 09:09:19 CDT 2004

Thanks Bob

Great to clear this up. Is there any documentation on this that I can cite
(in the report I'm writing).

Also: Say I want to run VIC and RAT from command line (if the Venue Client
software is not working on one node or something), and the streams are
encrypted, how can this node decrypt them? Will a popup window ask for the
key?

Again, thanks for answering.
Benedikt.

>
>>- This is done by certificates?
>
> Yes, the AG software uses X.509 identity certificates for the purposes of
> authenticating communications endpoints.
>
>>* After I notice someone has broken in to my venue, I can "blacklist"
>>him/her, or rather that particular certificate.
>
> Yes, by manipulating the access control for that venue.
>
>>* I can also beforehand deny anyone access to my venue except certain
>>certificates, some selected persons that I want to allow in? They must
>>already have access my venues so I can have a handle on their
>>certificates?
>>Or do I only need them to tell my their distinguished name?
>
> You need to know the DN.
>
>>* If someone is not allowed entrance, his/her VenueClient doesn't receive
>>the multicast addresses from the venue so he cannot connect to the venue.
>
> Correct.
>
>>"Impossible" to guess the multicast addresses. But what if he knows them?
>>If they are static, and somehow he knows, either because he already has
>>connected to it (a former client perhaps) or because it is stated on my
>>website or something. What stops him from just starting VIC and RAT and
>>listening to all my confidential conversations?
>
> The multicast addresses themselves cannot be made private; the information
> about active multicast groups is available for perusal in network routers
> if you know where to look.
>
>
>>- Encryption key?
>>
>>* Are the video/audio streams encrypted? Hashed up and sent that way
>>through the network? No one can decypher them unless he has the key? How
>>is that key known by all parties? Who sets that key?
>
> The streams are encrypted, yes. The key is set by the manager of the
> Venue,
> and is maintained in the Venue. Keys are distributed to clients that are
> allowed access via the access control mechanism.
>
>>* So if "a bad guy" guessed (knew) my multicast addresses he still would
>>not see/hear my meetings unless he also knew the encryption key?
>
> Correct.
>
>>* Why aren't I ever asked for an en(de)cryption key when I enter venues?
>
> The Venues software manages that for you.
>
>>Please answer some (all) of those questions, and all the others I forgot
>>to ask as well :)
>
> :-). I think that covers it; please feel free to ask more if anything is
> unclear.
>
> --bob
> --bob
>
>