Re: Is the key exchange asymmetric or symmetric?

Tue, 23 Oct 2001 09:18:44 -0700 

Andrew Finnell <[EMAIL PROTECTED]> writes:
>     Is openssl's key exhange asymmetric or symmetric. And could someone
> explain to me what this means? I have been asked this and need to explain
> it.
In general, it's asymmetric.

Symmetric means that the same key is used for encryption as decryption
(and the same key is used for MAC generation and MAC verification, though
typically a different key from that used for encryption and decryption).

Asymmetric means that a different key is used for encryption and decryption
(and different keys are used for signature generation and verification).

In other words: symmetric means private key. Asymmetric means public key.

OpenSSL implements at least two major cryptographic protocols:
SSL/TLS and S/MIME. In general, both SSL/TLS and S/MIME use
asymmetric mechanisms for key exchange, however both have symmetric
modes: SSL/TLS has a Kerberos mode and S/MIME has a shared-key
mode. I don't believe that OpenSSL has support for Kerberos but
I don't know if it implements the shared-key S/MIME modes. Steve
Henson would know. Steve?

Also, remember that OpenSSL is a general crypto implementation so it
could be used to implement a system which does symmetric key exchange.
In fact, KAME (the FreeBSD IPsec system) can be compiled to use 
OpenSSL and uses shared-keys by default.

In any case, if you're using SSL/TLS, you're almost certainly using
asymmetric key exchange. If you're using certificates you certainly
are. 

> If there is a site I could go , to learn this stuff I will be more than
> happy to visit it. Also if anyone could recommend a book about
> certificates/key's and how to set things up in a secure way. I.e. using a
> PKI server , a store key and things like that. Thanks!!
I haven't read any of the PKI books so I'm a little reluctant to
recommend one. That said, I've leafed through Housley and Polk's
"Planning for PKI" and it looks pretty acessible. I know both
Russ and Tim personally and they're smart guys and know what they're
talking about.

If you want to understand how this all fits into SSL/TLS, you
might check out my book, "SSL and TLS: Designing and Building
Secure Systems" (see my .sig for a link)

-Ekr

--
[Eric Rescorla                                   [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
                 http://www.rtfm.com/sslbook
  
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to