Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SSL Certificate and Public Key Cryptographic

Posted on 2010-11-28
5
Medium Priority
?
436 Views
Last Modified: 2012-05-10
I have Some Problem In SSl Certificate Concept :

I read that when I Connect to Site have ssl certificate like paypal.com , First the site send to my browser his certificate and public key , then browser use the public key to encrypt A session key with its Private key and send it to server ...
any body can explain for me this process and what is browser private key and how to see it ?
after handshake between browser and Site  how data transfer between them like if i transfer money ?
In this case Where the process use hashing ?
Finally How i can generate public and private key and what software to encrypt message ?
0
Comment
Question by:abu_qusy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:shudman
ID: 34227097
There are many webs sites that explain how the process works:

http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html
http://www.evsslcertificate.com/ssl/description-ssl.html

Depending on what you want  you self signed cert to do, there are a few ways you can do this:
selfssl from the IIS Resource kit
http://blogs.technet.com/b/andym/archive/2008/09/15/exchange-2007-create-self-signed-certificates.aspx

What email system/we service are you intending to use ?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 34240616
Your understanding is a little off - the client's private key normally is not required (client usually doesn't even have a certificate unless using "mutual authentication" / "client certificate authentication", which is uncommon) the above links are useful, but here is the quick overview

- Server sends certificate to client browser
- Browser checks to see if trusted
 = issued from a trusted CA like VeriSign
 = validity dates are current / not expired
 = name of site matches subject name (or subject alternative name) of certificate
 = not revoked
- Handshake between server and client for negotiating best supported synchronous key strength
- Browser generates synchronous key (RC-4, AES-256, etc.) to be used as the session key
- Browser encrypts session key with server public key and sends to server
- Server decrypts session key with server private key
- Regular communication commences with either client or server encrypting data using session key and the other decrypting using the same session key.

I'm not really sure how to check it in IE offhand - in most other browsers (e.g. FireFox, Opera, etc.) you can click the gold lock and somewhere in the detailed information it will tell you what kind of session key is being used.  To actually view the session key you would need to find some program that does that - that starts getting into a touchy area for methods of hacking SSL sessions, which you can google but I'm not going to get into in the forums - yes there are ways of attacking SSL, however they tend to be very complex and not very common, and typically easily detectable if you don't accept untrusted certificate warnings that are presented to you by the browser.
0
 

Author Comment

by:abu_qusy
ID: 34268348
Thank all,
but Paranormastic:
What you mean by this
(client usually doesn't even have a certificate unless using "mutual authentication" / "client certificate authentication",and give me info. a bout methods of hacking SSL sessions, and how to see Session Key
please give me good tutorials a bout ways of attacking SSL
Thanks
0
 

Author Comment

by:abu_qusy
ID: 34268413
Please Site like paypal have mutual authentication , her Clinets have Private Key ? and what is it  and clinet the connect to windows server have rivate  key ?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34537090
Very few commercial sites use client authentication.  There are other secure methods for signing in, but that is done within the authentication processes to the site, not for allowing the SSL session to be created in the first place.  Having an authenticated SSL session does not mean that you are necessarily going to be authenticated to the protected site.

Normally only the client would use the server's public key from the certificate to encrypt session handshake info, and the server would use its private key to decrypt it.  With mutual authentication an additional process is added where the server asks the client for its authentication cert, the client supplies it, the server validates it as being authentic and from the appropriate trusted CA, then provides the client with some information encrypted with the client's public key such that only the client can decrypt it using its own private key, and then the client sends the challenge response back encrypted with the server's public key, which the server then decrypts with its own private key - if all goes well then they continue on with the handshake to negotiate cipher strength and create a session key to use like they would in a normal SSL handshake.  Once that's all set up then the web page is securely delivered through the SSL tunnel for your logon page or whatever.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question