RE: SIMple SSL question ??
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 28 Jul 2006 12:41:13 +0000 (UTC)
thats bugged and just not true.
OK - i would also delete a cert request file lying around.
But a certificate is a pub key + extra info. No private key.
That said - if someone compromises the server (given enough privileges) he will also find a way to retrieve the private key.
So secure your server.
dominick
Thnaks for your reply.
Now I get confused. In the MS-PRess book relative tto the 70-330 exam
based on .NEt security a chapter discuss about SSL configuration and
Certificate.There is sample steps to follow in order to succeed that
configuration. Works great.
then at the end there is an important note mentionning :
"Remove the certificate request file and store the SSL certificate
file in a safe location. If an attacker retrievs the SSL certificate,
he can use it to impersonate your server and decrypt traffic"
how should I understand that ?
regards
serge
"oldbear" wrote:
Hi
In order to decrypt information sent by the client that was encrypted
with the certificate's public key, the attacker would have to have
the private key that goes with it. The private key is not passed in
the certificate request, so the attacker cannot decrypt incoming
messages or sign outgoing ones.
When IIS is used to create a certificate request, the following takes
place.
IIS generates a private/public key pair. It then submits the public
key in a certificate request.
The certificate request does not include the private key, nor does
the reply
from the certification authority (CA). The certificate request
information
includes:
subject distinguished name;
subject public key;
a set of attributes (optional).
This request information is then signed with the private key that
corresponds to the public key in the request.
The signature is then added to the request with details of the
algorithm used to sign it.
The signature proves to the CA that the sender has the private key
that corresponds to the values in the request. At no time is the
private key exchanged.
According to RSA:
'The signature on the certification request prevents an entity from
requesting a certificate with another party's public key. Such an
attack would give the entity the minor ability to pretend to be the
originator of any message signed by the other party. This attack is
significant only if the entity does not know the message being signed
and the signed part of the message does not identify the signer. The
entity would still not be able to decrypt messages intended for the
other party, of course.'
Hope this helps
--
----------------------------------
Chris Seary
http://blog.searyblog.com/
"serge calderara" wrote:
Dear all,
I am sudying the SSL configuration of web site using certificate.
On my reading it is mention that if an attacker retrieve the
certificate
request file and install it on his machine, he can use it to decrypt
the
traffic between the initial web server and the client.
What I have understand in this SSL mechanism is that when a web
client send a request to the web server, the web server send back to
the client the certificate public key as an asymetric encryption,
the the client send back to the server a secret key encrypted with
the receive plublic key. At this time a secret session key is
created and used betwen the web server and the client to encrypt
conversation using symetric encryption.
How can it be possible then that an attacker who could get the
certificate instaled on his machine, act as a man in middle ??
Thnaks for your clarification on that point casue ai ma realy
confused
regards
serge
.
- References:
- RE: SIMple SSL question ??
- From: serge calderara
- RE: SIMple SSL question ??
- Prev by Date: RE: SIMple SSL question ??
- Next by Date: RE: SIMple SSL question ??
- Previous by thread: RE: SIMple SSL question ??
- Next by thread: RE: SIMple SSL question ??
- Index(es):
Relevant Pages
|
