You are seriously lost. Private keys and public keys (certificates) are USED in performing RSA encryption, but they are not themselves encoded and/or transmitted under RSA encryption. Yes, keys for private-key encryption are sent under public key encryption, but
a key for private key encryption is a very different animal than a private key used for public key encryption.
> I have some systems running standalone, and far from here. > I want to control them using VNC and encrypting the traffic between > me and the systems. Those systems are accessible also to other > people, so if I install a certificate with unencrypted private > key, encrypting is useless, since a thirty part has private key too.
I'm assuming the "other people" have only read access, or else they could install any kind of spy software they wanted. But if they have read access there are no secrets on that machine, they could theoretically clone the machine, feed it the same information they wiretap off the wire, and get the decode. So there's not much hope for secrecy, though you could ENCODE the commands with a private key YOU hold and it would not then be possible for others to counterfeit commands.
AH! The other side generates a random symmetric key (lets use the terminology symmetric, private, and public). It encodes that key with your PUBLIC key and sends it on to you. You can then decode it with your closely-held PRIVATE key and use the random symmetric key to exchange information with the other side.
This works as long as the temporary ephemeral random symmetric key can be protected from reading on the other side, like if it is kept only in memory and /dev/kmem and other ways to read the memory of an arbitrary process are deactivated.
[EMAIL PROTECTED] wrote:
Bernhard Froehlich wrote:
one silly question: if I generate a request with openssl req -new -keyout mykey.pem -out myreq.pem 265 the private key in mykey.pem is encrypted or not?
Since my openssl asks me for a password when using "openssl req -new -keyout mykey.pem -out myreq.pem", I'd think the key is encrypted. Maybe your openssl.conf can influence that. If you want to be sure the key is unencrypted use the option "-nodes".
Sure, but the story is a little bit more complicated. I have some systems running standalone, and far from here. I want to control them using VNC and encrypting the traffic between me and the systems. Those systems are accessible also to other people, so if I install a certificate with unencrypted private key, encrypting is useless, since a thirty part has private key too.
BTW, my doubt is: under pcAnywhere and apache I issue certificates with private key taht, AFAIK, should be RSA encrypted, and I supply a password for the pem I generate with openssl req. Therefore how pcAnywhere and apache handle this situation, since they both DON'T ask me for any password?
Ciao
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
