<SNIP> > I know it should be private keys somehow involved into authentication. > I'm sure I just missed something. > Could anybody help me, please ? </SNIP>
Aleksandr, The private key is called private because it only resides on your computer. It is never involved in the exchange of information - hence the name private. PKI uses what is called asymmetric key pairs - this is one of the most crucial concepts of PKI that few folks truly understand. The keys are assymetric which means they are NOT idential. They are a pair in that one is public and one is private. Knowledge of one does not necessarily infer knowledge of the other. Also, information encrypted with one must be decrypted with the other. Example - I send you an encrypted email. I have used your public key, available from the corporate LDAP server (for example) to encrypt the email. Only your private key can decrypt the email. Therefore, if you can read the email, you must have the correct private half of the key pair. For authentication, a challenge-response routine is normally used. The server will use the users KNOWN public key to encrypt something. The client will have to decrypt it and respond appropriately. The decryption process requires the public key. The use of the private key is built in to PKI. The way we handle it that we choose some random strings of charachters and encrypt them with the public key. The server challenges the client to decrypt them and provide the original encrypted information. If this happens successfully, you may infer that the user attempting to authenticate has the correct private key for the public key used to encrypt them. You can choose to have the user handle this or you can handle it silently. HTH, Jimi ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
