SSL + additional level of encryption

Question

SSL + additional level of encryption

I am wondering what to do if a client requests a second level of encryption over SSL?

For example, I have an SSL tunnel, and the client wants me to use symmetric key encryption for the data passing through this tunnel. The symmetric key is session-based and is sent from the server to the client over the original SSL tunnel.

I don’t understand how much safer it is. If the SSL tunnel is compromised, then theoretically the same symmetric key is sent from the server to perform symmetric encryption during the session.

Can anyone suggest different points of view on this situation? I am sure that if there was a common secret set in advance (for example, a one-time password), this would make things more secure, but since the secret is transmitted through the session via SSL, I do not see how it buys us additional security.

What are your thoughts, and have you had a similar experience?

thanks

+4

security ssl cryptography encryption-symmetric encryption-asymmetric

user146714 Jul 29 '11 at 3:27

source share

1 answer

emboss · Accepted Answer · 2011-07-31T20:44:05+0000

Sounds like the “next great idea” of customers who think that reading “My first Crypto” allows them to reinvent the wheel in some devilishly smart way.

Such a thing is usually nonsense, especially since, as you say, a symmetric key is sent.

However, I can think of one scenario where it might make sense - many large companies or institutions have policies that prohibit end-to-end SSL / TLS connections. They interrupt incoming TLS at some point in order to be able to scan plain text data for viruses, etc. In this case, it may be advisable to further encrypt the data at the application level to prevent internal eavesdropping.

But then again, you are likely to break internal rules ...

SSL + additional level of encryption

More articles: