Question regarding SSL/TLS

Question regarding SSL/TLS
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Question regarding SSL/TLS jois.de.vivre 08-21-2006
Posted by on August 21, 2006, 5:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>From what I've read I've come to understand that a server will
digitally sign a certificate by first creating a hash, then encrypting
the hash using its private key. The server will then send the
digitally signed certificate to the client, who decrypts it using the
public key and compares it with the hash value it calculates for the
certificate.
What prevents an attacker from decoding the certificate, substituting
his own information, re-calculating the hash, re-encrypting it using
his own private key and sending it to the client along with a new
public key?


Posted by Sebastian Gottschalk on August 21, 2006, 5:14 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
jois.de.vivre@gmail.com wrote:
>>From what I've read I've come to understand that a server will
> digitally sign a certificate by first creating a hash, then encrypting
> the hash using its private key. The server will then send the
> digitally signed certificate to the client, who decrypts it using the
> public key and compares it with the hash value it calculates for the
> certificate.
> What prevents an attacker from decoding the certificate, substituting
> his own information, re-calculating the hash, re-encrypting it using
> his own private key and sending it to the client along with a new
> public key?

That the verification process will fail? The client won't take the
attackers public key, but the the real certifier's key.

Posted by on August 21, 2006, 5:32 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> That the verification process will fail? The client won't take the
> attackers public key, but the the real certifier's key.

I see, so the public key has to be known and trusted beforehand? Does
a browser then keep a list of trusted public keys?


Posted by Markus Jansson on August 22, 2006, 12:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
jois.de.vivre@gmail.com wrote:
> I see, so the public key has to be known and trusted beforehand? Does
> a browser then keep a list of trusted public keys?

Yes. They are in its database when browser is installed to the computer.



--
My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

Posted by Ludovic Joly on August 22, 2006, 3:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Markus Jansson wrote:
> jois.de.vivre@gmail.com wrote:
> > I see, so the public key has to be known and trusted beforehand? Does
> > a browser then keep a list of trusted public keys?
>
> Yes. They are in its database when browser is installed to the computer.

This is very convenient, an excellent feature. Anyone with a
corresponding "trusted" private key and access to the route can perform
a MITM attack and decrypt and modify the traffic. We reach the point
where "trusted" has to be taken seriously.

Kind regards
Ludovic


Similar ThreadsPosted
WEP question August 18, 2004, 6:14 pm
* VPN and NAT Question November 8, 2004, 6:42 pm
Log in question July 22, 2005, 12:38 pm
Log in question July 22, 2005, 12:38 pm
Log in question July 22, 2005, 12:38 pm
A question October 2, 2005, 11:49 pm
PKI question August 1, 2006, 7:50 am
Question regarding SSL/TLS August 22, 2006, 12:23 pm
Question regarding SSL/TLS August 23, 2006, 4:51 am
IP number question January 26, 2005, 1:14 pm

The site map in XML format XML site map

Contact Us | Privacy Policy