LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-05-2006, 10:23 AM   #1
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Rep: Reputation: 27
ssl using server and client certificate. Which key used for encryption?


Dear folks,

I do have a question about which private/public key pair is used when some browser client connects to a webserver using the ssl protocol.

for example:
I have a webserver with a certificate that has server-authentication as purpose. This certificate is validated against a root certificate which was created by my own certification authority.

Then on the other hand I have a certificate on a client computer with client-authentication and encryption as purpose. Also this certificate has been validated against the root cert from my own ca.

When I connect now to the webserver via ssl, what key is used for the encryption of the traffic? Is it one of the certificate's keys? Or are the keys just used for identification and does the ssl engine (or however it is called) just create some random key for the session which is used for the encryption?

note: In my case, this is a windows server and a linux client but I assume that the process is the same for linux-linux or windows-windows. (?)

Thanks in advance for your answers.

kind regards,

Lieven
 
Old 12-05-2006, 06:23 PM   #2
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,423

Rep: Reputation: 1158Reputation: 1158Reputation: 1158Reputation: 1158Reputation: 1158Reputation: 1158Reputation: 1158Reputation: 1158Reputation: 1158
Here's the soap...

(1) The bulk of the data that is sent along any secured conversation is encrypted using a randomly-generated "symmetric" (that is, conventional) key. The conversation is encrypted using a well-known symmetric algorithm such as DES3 or AES. The reason for this is simple... speed. The randomly-generated key is produced using a cryptographically strong algorithm that produces "good" random numbers... it's therefore impractical to guess them. The key is used only for THIS conversation and it is never used again.

(2) Obviously, with a symmetric cipher, the correct randomly-generated key must be supplied to the other party in the conversation, and this key must be exchanged securely. The certificate provides the means for them to do this. The random key is sent as the payload of a message that is encrypted using the public-key that is provided in the certificate. For every public key, there is a corresponding (unknown) private key that is held, and closely guarded, by the owner of the certificate. Therefore, only the intended recipient can decrypt the message that contains the randomly-generated key. Upon doing so, both parties now have the correct random-key for this conversation and they can now begin to exchange information. If the conversation continues for a long time, the two parties might decide to "re-key," that is, switch to a new random symmetric-key on the fly.

(3) "Signing" is a method that can be used to avoid accidental use of forged certificates. The signature consists of a checksum that has been encrypted using some other "trusted" key held by a "certifying authority." The public-keys used by those authorities are known, and are used to verify the signature.

(4) I have only described the keying protocol... systems like SSL contain mechanisms that allow us to continuously verify that traffic being exchanged has not been intercepted or modified in transit, and that encrypted matter captured from some previous conversation is not being "re-played" and injected into the stream.

Last edited by sundialsvcs; 12-05-2006 at 06:26 PM.
 
Old 12-07-2006, 07:22 AM   #3
lievendp
Member
 
Registered: Jan 2006
Location: Belgique
Distribution: Gentoo, Debian, Redhat, Centos, (x)Ubuntu
Posts: 111

Original Poster
Rep: Reputation: 27
Thank you for this explanations.
I also found the following site which explains some more: (english)
http://tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/ssl.html

kind regards,
Lieven
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RSA certificate for ssl server problem mr_empty Linux - Security 2 12-05-2006 08:36 PM
Change server SSL certificate leosgb Linux - Security 2 04-08-2006 12:28 PM
SSL certificate without..... Drogo Linux - Software 1 06-13-2003 03:13 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 08:25 AM
2 certificate ssl in 1 server apache simquest Linux - Software 2 07-24-2002 12:47 PM


All times are GMT -5. The time now is 05:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration