Re: Naive Question about SSL

Mon, 16 Apr 2001 11:56:10 -0700 

On Mon, Apr 16, 2001 at 02:18:06PM -0500, David Jourard wrote:
> Till now I always thought that the SSL was secure in just one direction 
> from the client to the server since the client browser encrypts the data 
> with a public key and the server decrypts with a private key; till someone 
> else corrected me with the following URL:
> http://developer.netscape.com/docs/manuals/security/sslin/contents.htm

private/public key encryption tends to be very slow and as you already
researched yourself, they are only used while negotiating a symmetric key
that is secret and only known to client and server.

> Here it reviews the handshake process and from what I gather is that the 
> public key is used to encrypt the starting key used for the symmetric 
> encryption of data.  Effectively when the handshake is finished data 
> transferred is simply encrypted data with the symmetric keys.
> 
> Hence data sent back to the client is secure and its okey to send secure 
> information back to the client.

Yes, the channel provides the same security in both directions.
(To say it with other words: it this condition would not hold, half of the
conversation would be hold in the open and encryption would be more or less
useless.)

There are good books available on these issues. Since a lot of things are
important when dealing with encryption (from good random number to generate
the symmectric key to a complete verification of certificates to avoid man
in the middle attacks) I would recommend you to spend some time reading.
I recommend "Applied Cryptography" from Bruce Schneier for a general overview.
People on this list also recommended Eric Rescorla: "SSL and TLS: Designing and
Building Secure Systems". (Eric wanted to arrange for a review copy, but
since I never got one I simply cannot tell :-)

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to