Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-25-2008, 09:32 AM   #1
Registered: Aug 2005
Location: Slovenia
Distribution: Fedora, Ubuntu
Posts: 69

Rep: Reputation: 15
SSL Certificate and PKI question, secure HTTPS connection, mail encription


I think I understand all the fuss about asymmetric encryption and public and private keys. I think I understand what is server certificate. It is a public key with owners information signed by the certificate authorities private key. The certificate is sent from server to the browser at the beginning of the SSL handshaking. Browser can then authenticate the servers public key against CA that signed it. Then this public key is used to send symmetric key for the symmetric data encryption.
What I don't understand here is according to the page there can also be the client certificate which I doubt the average user have (maybe some banking certificates?) What are client side certificates for? Just for authentication? Is it ever used in symmetric key exchange? If my bank issues the certificate for usage with theirs web banking, shouldn't I also get the private key or the private key is held by the bank?=

About mail encryption. I have my certificate. I signed my mail with my certificate (public key?). Now the other end cam verify the mail integrity and authenticity. How? The logic thing would be that I sign the mail hash with my private key and the other party can check that with my certificate (public key) I send along with my mail. For mail encoding I should also have the other party certificate (public key) shouldn't I?

Old 07-25-2008, 11:42 AM   #2
Registered: Mar 2008
Location: UK
Distribution: Fedora, Gentoo
Posts: 209

Rep: Reputation: 36
What are client side certificates for? Just for authentication?
Basically yes. The client's certificate just proves to the server that you are who you say you are. Commonly, the server (or some other trusted third party) will sign your client certificate before sending it back to you. Then when you connect to the server, it can check the signature to see if it's valid. I don't know of many large systems that do use client certificates, but I've got my small email server set up so it requests my client certificate if I want to send/receive mail.

In the case you describe of banks distributing certificates to users, they're probably using something like a pkcs12 file, which, as you correctly pointed out must contain both the public and private key (I think it's encrypted with a shared secret key/passphrase). It's then imported into your browser (see for example tools->options->advanced->encryption in firefox, where you can import the pkcs12 file). It's not perfect (since ideally no-one should EVER know your private key), but it's probably better than the crappy passwords most people would use.

For mail encoding I should also have the other party certificate (public key) shouldn't I?
Yes, you encrypt the message with the the recipients public key, then sign it with your private key. Provided the recipient trusts your public key (e.g. it's signed by a CA or whatever), this works. It's actually more complicated than that, since both a basic "sign then encrypt" or "encrypt then sign" protocol are vulnerable to various attacks. I can't remember off the top of my head what the details are.

Hope this helps.
Old 07-28-2008, 03:20 AM   #3
Registered: Aug 2005
Location: Slovenia
Distribution: Fedora, Ubuntu
Posts: 69

Original Poster
Rep: Reputation: 15
Really? There are also certificates with both public and private keys in it? This could be the case with my banking system. When I connect to their web site the browser window with question about certificate pops out and asks me which certificate I want to use. I select the proper certificate and secure connection is made (I can see this by small lock icon in the browser). Then I also type my password on the entry web page and the system lets me in. But I still don't understand what my certificate is for here. Is my assumption correct:
- first when SSL handshaking is taking place when both client and server authenticate each other with their public keys being signed my CA.
- then client generates symmetric key and encodes it with servers public key and sends it to it (I know this algorithm is a little bit more complicated, but this is the essence of it)
- now all communication is taking place with symmetric key encryption.
- what role does client and server public keys have from now on? What does the client do with its private key?
- is data encrypted by both sides with each others public keys? This would be asymmetric encryption on top of the symmetric one?

You also said that email encryption and signing is a little bit more complicated. Do you have any links or documents that describe banking case and mail encryption/signing case in more detail? It really bugs me I don't fully understand it (especially the banking case). Wikipedia is great place to learn the basic theory, but it doesn't describe the real world implementation.

Best regards,

Last edited by Rostfrei; 07-28-2008 at 03:29 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL Certificate question watcher69b Linux - Server 1 06-10-2008 10:04 PM
LXer: Linux Postfix mail server SSL certificate installations and configuration LXer Syndicated Linux News 0 07-13-2007 11:01 AM
Maximum PKI Root Certificate for IE metallica1973 Linux - Security 2 05-30-2007 07:36 PM
https SSL Certificate Expired lothario Linux - Security 1 01-19-2005 10:42 PM
ssl certificate question lenlutz Linux - Networking 1 10-08-2003 11:53 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:52 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration