All applications must have the private key, or the public key is useless. And, a public key is worthless without knowing who or what it belongs to, which is where certificates come in. (You have an SSH private key that is used to match up to your SSH public key stored on the server, for example. The server knows that that public key belongs to you, because only you or an authorized administrator could have put it there.)
Everything that wishes to authenticate itself cryptographically must have a private, secret key that only it knows. (If more than one thing wishes to authenticate with the same identity, then those things can share the secret key.) It must also have a public key which the other party knows (and believes corresponds to the identity it claims). I don't quite understand what you're asking here. -Kyle H On 6/6/06, Sudharsan Rangarajan <[EMAIL PROTECTED]> wrote:
Hi Kyle, Thanks, I was wondering about the folloing scenario. I have a single public key for all apps. Hoever no apps knows the pub key, and all i do is SSH port forwarding. DOes this have any significant problems? Thanks, Sudharsan On 6/6/06, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > Every application has its opportunity to be stupid and reveal the > private key. This is one reason that wildcard certificates are > generally frowned on as a "worse practice" -- any single one of the > softwares that use the private key can reveal it. (The mantra of > security is: "You have to succeed every time. The attacker only has > to succeed once.") > > There's another issue: It makes more sense to keep one copy of the > private key on the system, with one passphrase that multiple > applications share. (I may be in the minority with this thinking...) > The reason why is that multiple copies of the private key, encrypted > with different passphrases, can be subjected to a "differential > ciphertext" attack. > > (The other alternative is to give multiple applications different > copies of the key and different passphrases. This isn't, in my view, > optimal, because if the passphrase for any software, and the location > of its key file -- or the enencrypted private key itself -- is > revealed by any software, the key is compromised regardless.) > > But there is no technical reason it cannot be done. > > -Kyle H > > On 6/5/06, Sudharsan Rangarajan <[EMAIL PROTECTED]> wrote: > > Hi all, > > I am just wondering if i could have multiple applications on a end > > host share the same public key. Can this cause a pbm in the sense > > there are more applications to target and a stupid one can reveal the > > private key? > > Or can there be other attacks posssible > > > > Thanks, > > Sudharsan > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
