Joshua Juran wrote:
On May 18, 2005, at 2:45 PM, Miles Bradford wrote:
My question on top of that was - "How could someone intercept an
encrypted
message and get to the information inside the certificate without
corrupting
the encryption that the data is wrapped in - since once the perpetrator
learned who you are - who cares that that data was encrypted or not at
this
point. The whole point of encryption is to keep people out - correct?
Certificates aren't encrypted. They're used to establish the encryption
in the first place.
Both "main" and "aggressive" modes of IKE with certificates
use DH to get a shared secret. Authentication is done by signing
and signatures are verifiable by public keys from certificates.
Yes, certificates are not encrypted in aggressive mode.
In main mode, payloads with identity, signature and certificates
are encrypted, for both parties.
RFC 2409
I am trying to understand someone else's writing "could not" be a
problem
if someone intercepts a certificate. I have a problem with the first
part
to start with. How can an encryption be intercepted, undone and the data
inside gotten to, then rewrapped in encryption and then passed on. I
don't
understand encryption working like that. I totally agree with you and
David
- in that you cannot cheat the encryption.
There's no such thing as 'intercepting' a certificate. You'll notice
that this message has a certificate attached. You can't 'intercept' it
because I'm not intending to prevent you from receiving it. In fact,
I'm intending that you *do* receive it.
Now that you have my certificate, you can create a message encrypted
such that only I can read it -- since only I have the private key needed
to decrypt it. The mirror image of public key encryption is digital
signature. I sign with my private key, and the public key verifies the
signature -- that the signer must be holding the private key.
A certificate is an assertion of identity of a keyholder. Mine says
"The key used to sign this message belongs to [EMAIL PROTECTED]"
It makes no guarantees about my personal identity (e.g. my real name)
but from it you can conclude that the message was sent by the owner of
this mailbox and wasn't forged by someone else. Should you believe what
my certificate says? Well, it was signed by Thawte, so if you trust
them, then yes.
Once you trust my certificate, you can use it for encrypting messages to
me.
I hope this helps.
Josh
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
