LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-12-2008, 05:03 AM   #1
calande
Member
 
Registered: Oct 2005
Distribution: Urubu
Posts: 159

Rep: Reputation: 15
Question Public key, private key explained


Hello,

I'm trying to understand how encryption and authentication work. I read that for the case of a web site and an SSL certificate, let's take the example of you buying from Amazon, there is a private key that only Amazon knows, and the Amazon.com public key that anyone can get. So you access https://www.amazon.com, the web site sends you its public key, and its web page encrypted using their private key. Using the public key, you know it came from Amazon and you can read the content of the HTML file. Ok. But if between my computer and the Amazon servers, there is some one who snifs the packets sent back and forth, he knows I'm visiting Amazon, he also knows the public key, and therefore, he can intercept HTML data and decrypt it using the public key, right? Then it's not secure. Or am I missing something?
Thanks,
 
Old 06-12-2008, 05:14 AM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
That's why certificate authorities come into play.

What you are suggesting works, but is hard, because unless I know what encrypted sites you plan to visit, the middleman would need to create a certificate on the fly which takes time. But what you describe it the classic middleman vulnerability
 
Old 06-12-2008, 05:19 AM   #3
calande
Member
 
Registered: Oct 2005
Distribution: Urubu
Posts: 159

Original Poster
Rep: Reputation: 15
Thanks. If the middle man reads the information sent back and forth, he knows what site the victim is visiting, right? So he can decrypt the information sent by Amazon using the Amazon public key. Or am I missing something? For what purpose would he have to create a certificate on the fly? What kind of certificate would it be?
 
Old 06-12-2008, 05:23 AM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by billymayday View Post
That's why certificate authorities come into play.

What you are suggesting works, but is hard, because unless I know what encrypted sites you plan to visit, the middleman would need to create a certificate on the fly which takes time. But what you describe it the classic middleman vulnerability
The thing is, what he described is totally erroneous. Additionally, you don't need to have any prior knowledge of what sites the victim will be using or anything like that. Creating fake certificates is a piece of cake, and if it wasn't for a trusted third-party (the CA), there would be no way to know with a fair degree of certainty that the server's certificate actually belongs to it. So yes, checking for properly signed certificates protects you from a man-in-the-middle attack, but the attacker having prior knowledge of the sites is irrelevant - as it should be.

Quote:
Originally Posted by calande View Post
I'm trying to understand how encryption and authentication work. I read that for the case of a web site and an SSL certificate, let's take the example of you buying from Amazon, there is a private key that only Amazon knows, and the Amazon.com public key that anyone can get. So you access https://www.amazon.com, the web site sends you its public key, and its web page encrypted using their private key. Using the public key, you know it came from Amazon and you can read the content of the HTML file. Ok. But if between my computer and the Amazon servers, there is some one who snifs the packets sent back and forth, he knows I'm visiting Amazon, he also knows the public key, and therefore, he can intercept HTML data and decrypt it using the public key, right? Then it's not secure. Or am I missing something?
That's not how it works. The client connects to the HTTPS server, and the server provides the client with a certificate (which includes the server's public key). The client verifies that the certificate is good (in other words, that it is digitally signed by a trusted third party), then proceeds to encrypt a random session key using the server's public key and sends it to the server. The session key is used from then on to secure the connection for that session. Keep in mind that only the server can decrypt content encrypted with its public key (you need the private key to decrypt it). If you Google for something like how does HTTPS work (or maybe how does SSL work) you should be able to find tons of info.

Quote:
Originally Posted by calande View Post
But if between my computer and the Amazon servers, there is some one who snifs the packets sent back and forth, he knows I'm visiting Amazon, he also knows the public key, and therefore, he can intercept HTML data and decrypt it using the public key, right?
No. He needs the private key in order to decrypt.

Last edited by win32sux; 06-12-2008 at 01:01 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Private/Public key vs. Password authentication w/ SSH MykeV Linux - Security 5 11-25-2007 11:49 AM
need help with SSH private/public key taduser Linux - Security 2 04-02-2007 07:07 PM
SSH - trouble authenticating private/public key Micro420 Linux - Networking 5 01-23-2007 01:08 PM
public/private key authentication with PuTTY NetAX Linux - Security 5 10-27-2004 06:00 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 03:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration