Hello,
> 1. In apache server, Where i specify which message digest algorithm is used
> (MD5/SHA)
In Apache this is specified in SSLCipherSuite directive.
> 2. Is Message digest process to be done after encryption() ? if no, which
> step the message digest process to be process ?
HMAC is calculated before encryption take place.
> 3.
> Yes, but precisely speaking there are negotiated two algorithms
> one for encrypt/decrypt SSL packets (DES/AES/...) and onesfor
> ensuring SSL packet integrity (MD5/SHA1/...).
>
> SSL Packet Integrity algorithm is required before cipher negotiation process
> right ? , then only the master secret key / negotiation transaction are
> properly integrity (with MD5/SHA).if so...When the ssl client will know which
> message algorithm the ssl server is used?
No, actually client and server negotiates cipher_suite.
For example cipher_suite AES256-SHA has the following characteristic:
$ openssl ciphers -v AES256-SHA
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
which means that for key_exchange (Kx) will be used RSA,
for peer authentication (Au) will be used RSA, for data encryption (Enc)
will be used AES256 and for ensuring data integrity (Mac) will be used
SHA1.
>
> 4. I basic setup ssl apache server and browser.and I can properly
> communicated. How to I know which message digest algorithm i used for ssl
> server. and i want to know how to specify the MAC=SHA1 to be use for Message
> Digest process.
You can set cipher_suites in Apache with SSLCipherSuite directive.
> 5. For example , while doing cipher negotiation between server and the
> browser, both are agreed to use ADH-AES256-SH cipher for encrypt/ decrypt. so
> it Indirectly MAC also negotiated right ? Please correct me if it is wrong...
>
>
> openssl ciphers -v ADH-AES256-SHA
> ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
Yes, in this cipher_suite SHA1 will be used for MAC.
SHA1 will be used by HMAC algorithm to calculate message digest.
For example, if server wants to send some data M to client, then
server will calculate hash H:
H = HMAC(packet_sequence+packet_proto+ssl_version
+data_len,server_write_mac)
where HMAC is defined as:
SHA1(K XOR opad, SHA1(K XOR ipad, M))
where M - message to hash, K - HMAC key, B - message digest block size
(64 for SH1).
Next, encryption take place:
E = AES256_ENCRYPT(M+H+pad, server_write_key)
and data E is encapsulated in SSL packet and send over
network to client.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
