LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 06-03-2009, 02:02 AM   #1
masenko703
Member
 
Registered: May 2003
Posts: 33

Rep: Reputation: 15
SSL Public key/Private question


Hi everyone,
I have a quick/newb question:

I know that a public key is used to encrypt data and a private key is used to decrypt data but who keeps the public/private keys??

Does the Web Server hold both?
Does the Web Server have the public key and does the client have the private key?
Does the Client have both?

When I create a key using the openssl command (e.g. openssl genrsa -des3 -out server.key 4096) is that the private or public key??

Please help, thanks.
 
Old 06-03-2009, 04:43 AM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
typically, you publish your public key to anyone who wants/needs/asks for it. The private key stays, well, secure, on the web server.

The private key can either have an additional security measure to protect itself in case someone copies it (a password), or no password. Having one requires you to be there at service restarts to type in that password. No having one means service restarts happen automatically, but if someone copies the key, anyone can impersonate your web server and decrypt captured conversations.

When you submit your public key to a CA, they are signing your public key with their private one. The CA signed public key is then added to your keystore on the web server.

When a browser client connects to your web server, the public key is transfered in the initial connection. The client checks the trusted CA's signature on the public key of your web server. If the signature is good, and the hostname matches what's on the certificate, everything is grand.
 
Old 06-03-2009, 04:56 AM   #3
masenko703
Member
 
Registered: May 2003
Posts: 33

Original Poster
Rep: Reputation: 15
Thanks for the reply!!!

So correct me if I'm wrong here:

1. client's browser initiates a connection
2. the web server responds and sends its public key
3. the client receives the public key, writes encrypted data with it
4. the client sends the encrypted data back to the web server
5. then the web server decrypts data with its private key

Is this right? So public and private key both reside on the web server?
 
Old 06-03-2009, 05:03 AM   #4
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
That basically it. There's a little more too it and I'm not qualified to express at the moment... but basically, the server needs to be able to encrypt the content back to the client. Not sure if it uses a session password (symmetric) or does a browser certificate exchange so then both sides of the conversation are encrypted. I think I'll go read the wiki now...

Both the server's private and public keys reside on the web server.
 
Old 06-03-2009, 05:21 AM   #5
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
http://en.wikipedia.org/wiki/Secure_...r#How_it_works

MMmmm
Quote:
* In order to generate the session keys used for the secure connection, the client encrypts a random number (RN) with the server's public key (PbK), and sends the result to the server. Only the server can decrypt it (with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the server and the client have access to this data. The client knows PbK and RN, and the server knows PvK and (after decryption of the client's message) RN. A third party may only know PbK, unless PvK has been compromised.
* From the random number, both parties generate key material for encryption and decryption.
Delicious!
 
Old 06-03-2009, 11:01 PM   #6
masenko703
Member
 
Registered: May 2003
Posts: 33

Original Poster
Rep: Reputation: 15
Thank again!!

One more question, so the server's certicate is the actually the public key?? is this right?
 
Old 06-03-2009, 11:14 PM   #7
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
The certificate contains the public key, but is not the key. In other words, there's more stuff in the certificate than just the key.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Public/Private Key Pairs Kissell Linux - Security 3 01-24-2009 04:36 AM
Interesting question about Private/Public Key dmor Linux - Security 9 08-27-2008 02:49 PM
Public key, private key explained calande Linux - Security 3 06-12-2008 05:23 AM
need help with SSH private/public key taduser Linux - Security 2 04-02-2007 07:07 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 07:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration