RW <rwmailli...@googlemail.com> writes: > There's a simple paint analogy here: > > https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange > > that illustrates how it's possible to exchange a shared secret without > an eavesdropper knowing what it is. The shared secret can then be used > for symmetric encryption using something like AES.
SSL / TLS didn't commonly use DH, much less *safe* DH, until fairly recently, and DH alone is not very useful. You need either a shared secret or trusted key pairs to authenticate either or both endpoints. > Actual protocols use public key cryptography so it can be established > that the exchange is end to end, and not broken into two separate > exchanges. Assuming you can trust the public key, which is what CAs are for, but CAs can be hacked, deceived or coerced. DES -- Dag-Erling Smørgrav - d...@des.no _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
