Geek Answers Handbook

One way SSL is one-way encryption?

If one SSL method is used (server certificate authentication), then data sent from the client is encrypted using the public key of the server certificate. Thus, data protection is available for data sent from the client. My questions

  • Does this mean that in one way, the SSL data sent from the server to the client is not encrypted and not sent as plain text?

  • For communication between the server and the client and the client, the data / message is not signed and therefore protection against unauthorized access or data integrity is not guaranteed. Are there any other means to ensure data integrity when using SSL-based security rather than message security settings?

+8
security ssl wcf-security transport-security
source share
2 answers

One method of SSL means that the server does not verify the identity of the client. It does not affect any other SSL security features.

While the SSL protocol is a little complicated, the main point is what happens: the client generates a random key, encrypts it so that only the server can decrypt it and send it to the server. Now the server and the client have a common secret, which can be used to encrypt and verify messages in both directions.

The server has no idea about the client identifier, but otherwise, the encryption and messages are checked in two ways.

Update:

1) Yes, the encryption in both directions is symmetric and uses the shared secret generated during the session setup.

2) With a shared secret, message integrity is trivial to guarantee. You just make sure that the message has a certain form. For example, I can prefix each sent message with a sequence number and add a checksum to it before encryption. You decrypt it with a shared secret and check the serial number and checksum. How can an attacker replace or change a message without knowing the shared secret and keeping the sequence number and checksum unchanged?

+16
source share

There are two things going on in SSL:

First, the session key is discussed using something like the Diffie-Hellman Method . This generates a shared session key, but never transfers the key between the parties.

Secondly, this session key is used in conventional symmetric encryption for the duration of the connection.

SSL does use public / private in one case, because the X509 certificate is used to identify at least one end of the connection. These certificates are signed using an asymmetric key pair.

Extracted from How to secure SSL two-way communication with only one key pair?

0
source share

More articles:


All Articles