Solved

SSL Certificate and Public Key Cryptographic

Posted on 2010-11-28
5
398 Views
Last Modified: 2012-05-10
I have Some Problem In SSl Certificate Concept :

I read that when I Connect to Site have ssl certificate like paypal.com , First the site send to my browser his certificate and public key , then browser use the public key to encrypt A session key with its Private key and send it to server ...
any body can explain for me this process and what is browser private key and how to see it ?
after handshake between browser and Site  how data transfer between them like if i transfer money ?
In this case Where the process use hashing ?
Finally How i can generate public and private key and what software to encrypt message ?
0
Comment
Question by:abu_qusy
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:shudman
Comment Utility
There are many webs sites that explain how the process works:

http://luxsci.com/blog/how-does-secure-socket-layer-ssl-or-tls-work.html
http://www.evsslcertificate.com/ssl/description-ssl.html

Depending on what you want  you self signed cert to do, there are a few ways you can do this:
selfssl from the IIS Resource kit
http://blogs.technet.com/b/andym/archive/2008/09/15/exchange-2007-create-self-signed-certificates.aspx

What email system/we service are you intending to use ?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
Comment Utility
Your understanding is a little off - the client's private key normally is not required (client usually doesn't even have a certificate unless using "mutual authentication" / "client certificate authentication", which is uncommon) the above links are useful, but here is the quick overview

- Server sends certificate to client browser
- Browser checks to see if trusted
 = issued from a trusted CA like VeriSign
 = validity dates are current / not expired
 = name of site matches subject name (or subject alternative name) of certificate
 = not revoked
- Handshake between server and client for negotiating best supported synchronous key strength
- Browser generates synchronous key (RC-4, AES-256, etc.) to be used as the session key
- Browser encrypts session key with server public key and sends to server
- Server decrypts session key with server private key
- Regular communication commences with either client or server encrypting data using session key and the other decrypting using the same session key.

I'm not really sure how to check it in IE offhand - in most other browsers (e.g. FireFox, Opera, etc.) you can click the gold lock and somewhere in the detailed information it will tell you what kind of session key is being used.  To actually view the session key you would need to find some program that does that - that starts getting into a touchy area for methods of hacking SSL sessions, which you can google but I'm not going to get into in the forums - yes there are ways of attacking SSL, however they tend to be very complex and not very common, and typically easily detectable if you don't accept untrusted certificate warnings that are presented to you by the browser.
0
 

Author Comment

by:abu_qusy
Comment Utility
Thank all,
but Paranormastic:
What you mean by this
(client usually doesn't even have a certificate unless using "mutual authentication" / "client certificate authentication",and give me info. a bout methods of hacking SSL sessions, and how to see Session Key
please give me good tutorials a bout ways of attacking SSL
Thanks
0
 

Author Comment

by:abu_qusy
Comment Utility
Please Site like paypal have mutual authentication , her Clinets have Private Key ? and what is it  and clinet the connect to windows server have rivate  key ?
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Very few commercial sites use client authentication.  There are other secure methods for signing in, but that is done within the authentication processes to the site, not for allowing the SSL session to be created in the first place.  Having an authenticated SSL session does not mean that you are necessarily going to be authenticated to the protected site.

Normally only the client would use the server's public key from the certificate to encrypt session handshake info, and the server would use its private key to decrypt it.  With mutual authentication an additional process is added where the server asks the client for its authentication cert, the client supplies it, the server validates it as being authentic and from the appropriate trusted CA, then provides the client with some information encrypted with the client's public key such that only the client can decrypt it using its own private key, and then the client sends the challenge response back encrypted with the server's public key, which the server then decrypts with its own private key - if all goes well then they continue on with the handshake to negotiate cipher strength and create a session key to use like they would in a normal SSL handshake.  Once that's all set up then the web page is securely delivered through the SSL tunnel for your logon page or whatever.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now