Thanks a ton Sander. So on session setup-phase, the server sends the public-key to the client (which would hardly be a bother, even if it is intercepted by a eavesdropper). This public key is then used to encrypt the data on the client, send over the wire, and decrypted by the server's private key.
That explains the client-to-server-transfer. However, just one last confirmation regarding the server-to-client-transfer. Is another set of public-private (session) keys pair created? (This would then explain the server-to-client transfer seamlessly, wherein the client would send the (session) public key to the server; server would encrypt data using this (session) public key; send the data over the wire; and the client would then decrypt data using the (session) private key). Thanks Sander. You have really been a darling in all the help ;-) Thanks and Regards, Ajay On Mon, Mar 26, 2012 at 11:03 AM, Sander Temme <scte...@apache.org> wrote: > Ajay, > On Mar 25, 2012, at 9:54 PM, Ajay Garg wrote: > > > Thanks Eric for the reply. > > > > Eric, but how is the shared secret comfigured? > > I do not remember configuring anything like this for the HTTPS-based > WebDAV server. > > As your DAV client and the server set up their SSL connection, they > exchange information that is used by either side to derive a set of session > encryption keys. This starts with a piece of random data generated by the > client, wrapped in the public key from the server's certificate, and sent > to the server. Since only the server has the corresponding private key, no > eavesdropper can intercept this piece of data, and no one but the server > and client have the proper input material to derive those session keys. > > Once the session keys are created, they are used by either side to sign, > encrypt, decrypt and verify the SSL records sent across the connection. > > So the only thing that is pre-arranged is the key/certificate on the > server, and the fact that the client trusts the server certificate (through > the CA certificate in the client's key store or CA bundle). > > Hope this helps, > > S. > > > Thanks and Regards, > > Ajay > > > > On Sun, Mar 25, 2012 at 11:39 PM, Eric Covener <cove...@gmail.com> > wrote: > > > BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running > both > > > webdav server and client on the same machine; so it might very well > > > be the case that some info from "ssl.conf" and/or "httpd.conf" is > being used > > > at the client side. However, I am just guessing ... > > > > Under SSL, the client and server negotiate a shared secret used to > > encrypt/decrypt the data. > > > > They can set this up securely because the client starts this process > > with info encrypted with the servers public key. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > > -- > scte...@apache.org http://www.temme.net/sander/ > PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A > > View my availability: http://tungle.me/sctemme > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
