kjj
Legendary
 Offline
Activity: 1302
Merit: 1026
|
 |
July 11, 2011, 07:25:06 PM |
|
on a busy SSL server, things gets signed and encrypted, 1000 times per second. with the same 1024/2048 bit key. they are not broken (yet).
Dude. SSL never encrypts anything with the server's private key. Never. partly true. but it is used(to sign) in the key-exchange protocol, to prevent a 3. party for modifying the protocol messages. No, it isn't. In SSL, the client encrypts the premaster secret (a number used to derive the symmetric session key) using the server's public key. The server decrypts it using the private key. At no time does the server ever emit anything directly derived from its private key. SSL uses symmetric encryption for the payload. PKC is only used to securely exchange that session key, and the entire exchange protocol was designed to protect the server's private key from re-use. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
July 11, 2011, 07:27:37 PM |
|
How about this then: In SSL, the server's private key is not used for encryption, nor for hashing, nor for any other operation, cryptographic or otherwise, of anything that is released to any other party.
LOL! TROLL! then what is it used for, please enlighten us with your superior knowledge. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
July 11, 2011, 07:31:29 PM |
|
How about this then: In SSL, the server's private key is not used for encryption, nor for hashing, nor for any other operation, cryptographic or otherwise, of anything that is released to any other party.
LOL! TROLL! then what is it used for, please enlighten us with your superior knowledge. Already answered in the post just above yours. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
July 11, 2011, 07:43:32 PM |
|
on a busy SSL server, things gets signed and encrypted, 1000 times per second. with the same 1024/2048 bit key. they are not broken (yet).
Dude. SSL never encrypts anything with the server's private key. Never. partly true. but it is used(to sign) in the key-exchange protocol, to prevent a 3. party for modifying the protocol messages. No, it isn't. In SSL, the client encrypts the premaster secret (a number used to derive the symmetric session key) using the server's public key. The server decrypts it using the private key. At no time does the server ever emit anything directly derived from its private key. SSL uses symmetric encryption for the payload. PKC is only used to securely exchange that session key, and the entire exchange protocol was designed to protect the server's private key from re-use. the client can often force a DH key-agreement to happen. it requires the server to sign with the private key. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
July 11, 2011, 08:07:41 PM |
|
the client can often force a DH key-agreement to happen. it requires the server to sign with the private key.
Reference? |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
July 11, 2011, 08:17:32 PM |
|
the client can often force a DH key-agreement to happen. it requires the server to sign with the private key.
Reference? p. 91-92 F.1.1.3. Diffie-Hellman Key Exchange with Authentication When Diffie-Hellman key exchange is used, the server can either
supply a certificate containing fixed Diffie-Hellman parameters or
use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSA or RSA certificate. also every certificate is signed by an CA. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
July 11, 2011, 08:42:46 PM |
|
the client can often force a DH key-agreement to happen. it requires the server to sign with the private key.
Reference? p. 91-92 F.1.1.3. Diffie-Hellman Key Exchange with Authentication When Diffie-Hellman key exchange is used, the server can either
supply a certificate containing fixed Diffie-Hellman parameters or
use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSA or RSA certificate. also every certificate is signed by an CA. I stand corrected. SSL implementations that ignore all the SHOULDs and warnings in that section do actually have the option to use their private keys directly. |
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8
I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
July 11, 2011, 09:01:05 PM |
|
the client can often force a DH key-agreement to happen. it requires the server to sign with the private key.
Reference? p. 91-92 F.1.1.3. Diffie-Hellman Key Exchange with Authentication When Diffie-Hellman key exchange is used, the server can either
supply a certificate containing fixed Diffie-Hellman parameters or
use the server key exchange message to send a set of temporary
Diffie-Hellman parameters signed with a DSA or RSA certificate. also every certificate is signed by an CA. I stand corrected. SSL implementations that ignore all the SHOULDs and warnings in that section do actually have the option to use their private keys directly. apache has it enabled by default. it only requiers the client to only allows DH in the ClientHello message, and the server supports DH. anyway it does not matter. signatures are useless for the propose of getting information about the private key. signatures only gives proof that the other party have access the the private key. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
ampkZjWDQcqT
Member
Offline
Activity: 70
Merit: 10
GNU is not UNIX
|
|
July 11, 2011, 09:46:30 PM |
|
[...]
How about this then: In SSL, the server's private key is not used for encryption, nor for hashing, nor for any other operation, cryptographic or otherwise, of anything that is released to any other party.
If not to perform cryptographic operations, what do you think it's the purpose of a cryptographic key?. |
If you found my comment useful please express your gratitude by doing an action of similar magnitude towards a better society. Thanks you!.
|
|
|
kokjo
Legendary
Offline
Activity: 1050
Merit: 1000
You are WRONG!
|
|
July 11, 2011, 09:57:39 PM |
|
[...]
How about this then: In SSL, the server's private key is not used for encryption, nor for hashing, nor for any other operation, cryptographic or otherwise, of anything that is released to any other party.
If not to perform cryptographic operations, what do you think it's the purpose of a cryptographic key?. hey! don't step on him! he said: client gets the server cert. the client encrypts a random key he/she choses, with the public key from the cert. and sends it to the server. the server decryptes the random key the server responses with an encrypted message, to proof that he/she knows the private key. |
"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
|
|
|
|
