RE: SIMple SSL question ??



Hi

In order to decrypt information sent by the client that was encrypted with
the certificate's public key, the attacker would have to have the private key
that goes with it. The private key is not passed in the certificate request,
so the attacker cannot decrypt incoming messages or sign outgoing ones.

When IIS is used to create a certificate request, the following takes place.

IIS generates a private/public key pair. It then submits the public key in a
certificate request.

The certificate request does not include the private key, nor does the reply
from the certification authority (CA). The certificate request information
includes:
subject distinguished name;
subject public key;
a set of attributes (optional).

This request information is then signed with the private key that
corresponds to the public key in the request.

The signature is then added to the request with details of the algorithm
used to sign it.

The signature proves to the CA that the sender has the private key that
corresponds to the values in the request. At no time is the private key
exchanged.

According to RSA:

'The signature on the certification request prevents an entity from
requesting a certificate with another party's public key. Such an attack
would give the entity the minor ability to pretend to be the originator of
any message signed by the other party. This attack is significant only if the
entity does not know the message being signed and the signed part of the
message does not identify the signer. The entity would still not be able to
decrypt messages intended for the other party, of course.'

Hope this helps

--
----------------------------------
Chris Seary
http://blog.searyblog.com/




"serge calderara" wrote:

Dear all,

I am sudying the SSL configuration of web site using certificate.
On my reading it is mention that if an attacker retrieve the certificate
request file and install it on his machine, he can use it to decrypt the
traffic between the initial web server and the client.

What I have understand in this SSL mechanism is that when a web client send
a request to the web server, the web server send back to the client the
certificate public key as an asymetric encryption, the the client send back
to the server a secret key encrypted with the receive plublic key. At this
time a secret session key is created and used betwen the web server and the
client to encrypt conversation using symetric encryption.

How can it be possible then that an attacker who could get the certificate
instaled on his machine, act as a man in middle ??

Thnaks for your clarification on that point casue ai ma realy confused

regards
serge
.



Relevant Pages

  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • RE: SIMple SSL question ??
    ... I believe your book is instructing you to keep the private key secure. ... you use the certificate request wizard in IIS to install the cert after it's ... the certificate that's just been installed. ... If an attacker retrievs the SSL certificate, ...
    (microsoft.public.dotnet.security)
  • Re: Client certificate private key prompt
    ... this when they need to make sure that no request every goes as anonymous. ... Upgrading the client to W2K3 will not solve the two prompt issue. ... the private key. ...
    (microsoft.public.dotnet.framework)
  • Re: Interfacing key archival CMC request to a non .net CA
    ... If xenroll is used to construct the CMC request and attach the encrypted ... private key blob sent to the server. ... If the request is wrapped inside another PKCS7 layer as part of a nested CMC ... The closest match> "Encrypted Hash" is only the size of a RSA encryption, so can not> directly contain a full private key. ...
    (microsoft.public.platformsdk.security)
  • Re: IIS 6.0 SSL Certificate Difficulties
    ... that is just a plain text file with encrypted detail of your server detail. ... do you export the private key as well? ... > certificate from the IIS Snap-in it says that "You have a private key that ... > Another symptom is that when we create the request on the 2003 server, ...
    (microsoft.public.inetserver.iis)