RE: SIMple SSL question ??

thanks all of you for your comments

"oldbear" wrote:

Hi

Here's the PKCS information:

http://www.rsasecurity.com/rsalabs/node.asp?id=2132

I believe your book is instructing you to keep the private key secure. When
you use the certificate request wizard in IIS to install the cert after it's
been issued to you by the CA, have a look in the cert store. Double click on
the certificate that's just been installed.

The dialog that comes up shows that you have a private key that corresponds
to the certificate. Keep this private key secure.

The SSL certificate cannot let an intruder decrypt traffic. Only the private
key can do this.

Hope this helps

--
----------------------------------
Chris Seary
http://blog.searyblog.com/




"serge calderara" wrote:

Thnaks for your reply.

Now I get confused. In the MS-PRess book relative tto the 70-330 exam based
on .NEt security a chapter discuss about SSL configuration and
Certificate.There is sample steps to follow in order to succeed that
configuration. Works great.

then at the end there is an important note mentionning :

"Remove the certificate request file and store the SSL certificate file in a
safe location. If an attacker retrievs the SSL certificate, he can use it to
impersonate your server and decrypt traffic"

how should I understand that ?

regards
serge

"oldbear" wrote:

Hi

In order to decrypt information sent by the client that was encrypted with
the certificate's public key, the attacker would have to have the private key
that goes with it. The private key is not passed in the certificate request,
so the attacker cannot decrypt incoming messages or sign outgoing ones.

When IIS is used to create a certificate request, the following takes place.

IIS generates a private/public key pair. It then submits the public key in a
certificate request.

The certificate request does not include the private key, nor does the reply
from the certification authority (CA). The certificate request information
includes:
subject distinguished name;
subject public key;
a set of attributes (optional).

This request information is then signed with the private key that
corresponds to the public key in the request.

The signature is then added to the request with details of the algorithm
used to sign it.

The signature proves to the CA that the sender has the private key that
corresponds to the values in the request. At no time is the private key
exchanged.

According to RSA:

'The signature on the certification request prevents an entity from
requesting a certificate with another party's public key. Such an attack
would give the entity the minor ability to pretend to be the originator of
any message signed by the other party. This attack is significant only if the
entity does not know the message being signed and the signed part of the
message does not identify the signer. The entity would still not be able to
decrypt messages intended for the other party, of course.'

Hope this helps

--
----------------------------------
Chris Seary
http://blog.searyblog.com/




"serge calderara" wrote:

Dear all,

I am sudying the SSL configuration of web site using certificate.
On my reading it is mention that if an attacker retrieve the certificate
request file and install it on his machine, he can use it to decrypt the
traffic between the initial web server and the client.

What I have understand in this SSL mechanism is that when a web client send
a request to the web server, the web server send back to the client the
certificate public key as an asymetric encryption, the the client send back
to the server a secret key encrypted with the receive plublic key. At this
time a secret session key is created and used betwen the web server and the
client to encrypt conversation using symetric encryption.

How can it be possible then that an attacker who could get the certificate
instaled on his machine, act as a man in middle ??

Thnaks for your clarification on that point casue ai ma realy confused

regards
serge
.

Relevant Pages

  • RE: SIMple SSL question ??
    ... The private key is not passed in the certificate request, ... so the attacker cannot decrypt incoming messages or sign outgoing ones. ... When IIS is used to create a certificate request, ...
    (microsoft.public.dotnet.security)
  • RE: SIMple SSL question ??
    ... "Remove the certificate request file and store the SSL certificate file in a ... The private key is not passed in the certificate request, ...
    (microsoft.public.dotnet.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • Re: Microsoft Certificate Services
    ... .cer doesn't have a private key. ... When you generate certificate request in IIS, ...
    (microsoft.public.platformsdk.security)
  • Re: Certificates, Keys, Mobile Users, Intended Usage
    ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
    (microsoft.public.win2000.security)