[squid-users] One Time Password with squid, exists?

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 12 05:07:05 UTC 2015


On 12/03/2015 4:22 p.m., Daniel Greenwald wrote:
> Amos- Where can i get the per message pki authentication you describe.!?

I saw it on a forum somewhere shortly after the Sony DRM/rootkit issue
came out. It was a proposal for non-intrusive DRM in music/video streams
with a custom client and server. Dismissed at the time due to DRM folks
wanting the encryption even the client could not decrypt. I've not seen
anything like it in public availability, but given that YT are now doing
HTML5 video I suspect they or Netflix are the guys to ask there.

Should be easy enough to code up one of your own though. The client
agent had a public key for the server, generated keys get sent as
password salted with something from the cert. The username was used for
a client cert for the actual auth part same as in TLS. Both parts
encrypted with the servers key to prevent MITM on the way.
 All the server has to do is decrypt the received cert+key, validate,
then encrypt the response payload (optionally some headers about it a
well) with the client provided key.


If I was implementing it today I'd use DNS TLSA record to publish the
server key(s) instead of embedding in the client, and list
available/preferred ciphers etc in the username part instead of just a
client cert.

Amos



More information about the squid-users mailing list