To all,
First, to all that contributed responses so far, thank you very much for
being patient and providing a wealth of information to my sort of
clueless mind.
I�ve read everyone�s responses in detail. Spent hours mulling over the
original article in the NY Times
(http://www.nytimes.com/library/tech/99/09/biztech/articles/06code.html)
that started all this hoopla.
What�s scary, is that I think I�m getting a clue here. But I�d like to
submit my thoughts and a few questions to you�all for review/comment
before I even think I might have a clue. Here we go:
Background: Web server using SSL 128-bit Strong U.S. encryption
w/compatible browser.
My understanding of the process:
1. Browser opened. Person types in �https� something or other.com.
2. Server responds with handshake saying sure go ahead.
3. Browser then generates a ephemeral (temporary) symmetrical key from a
48 Byte master key and a random value. (BTW, anyone know what the random
values are?)
4. This key that�s generated is then encrypted with the 1024 bit
(public) RSA key. (Strong U.S. only, 512 for export version)
5. This �session key� hidden in the RSA 1024 bit key is then transmitted
and received by the web server.
6. Web Server then �decrypts� the 1024 RSA key and derives the �session
key�.
7. Time back up for a moment. The �key� in the web server is generated
each re-boot. The last time the web server was re-booted, it generates
a key. This key is transmitted to the browser encrypted with the RSA
1024 bit public key.
8. So encryption from browser to server is done using the browsers
�session key�. And the traffic from the Web Server to the browser is
done using the Web Server�s �session key� that was generated at the last
re-boot.
9. Person is done with, browser is closed.
10. Web Server is not re-booted.
11. Next day person starts another https session.
12. Steps 3 � 9 happen over again, EXCEPT a DIFFERENT symmetrical key is
generated by the browser from the last time it was opened. (This is
good, yes?)
13. Person is done with, browser is closed.
14. Web Server IS re-booted that night.
15. Next day person starts another https session.
16. Steps 3 � 9 happen over again, EXCEPT a DIFFERENT symmetrical key is
generated by the browser from the last time it was opened and a
DIFFERENT session key is now also in use by the Web Server because of
the re-boot. (This is good, yes?)
QUESTION: Is what I�ve said above correct? (in CEO�s terminology)
Please keep in mind that I�m from the �old� crypto days (70�s & 80�s)
before PC�s. I�m trying, be gentle.
Thanks a bunch,
Michael Sorbera
Webmaster
Randolph-Brooks Federal Credit Union
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
