-----Original Message-----
From: Andrew Finnell [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 06, 2001 9:17 AM
To: 'Openssl ([EMAIL PROTECTED])'
Subject: Cryptology Questions
Hi all,
I was wondering if someone could help me out. I have to speak with some cryptology experts later today and was wondering if some answers could be answered.
1. What is the normal/(most secure) way to store private keys and protect them?
Right now I store them in .pem format in a file and encrypt them with DES-CBC.2. What does it mean if I need someone asks me if we support 'importing X.509 certificate from an external CA'. I thought that you just sign certificates with the CA not import them? Or am I missing something.
3. What is the normal/(most secure) way to validate the presented partners certificates when a SSL connection is established. Now my understanding was the defacto way was to include the ip/hostname in the CN? Is this correct and does it work both ways meaning. Can the server check to see if it's certificates have been move, i.e. if I copy public/private pairs from server a to server b, should server b check the ip/hostname to see if they really belong. And the client should check the certificate obtained from Server A, to see if it's really Server A correct?
Ok that's enough with the homework questions. Heh, it's not really homework but im sure that the answers are so easy that it seems like it. :) I bought Eric Rescorla's book 'SSL and TLS' and ive been trying to read that but I don't see where he goes into more detail about 'storing keys' and ensuring safety. Of course I could of just blown right by that chapter, I tend to read books backwards.
Now for my own interest. I see many names being thrown around. I'll tell you what I 'think' I know and please correct me if im wrong.
RSA is a public key cryptology. I take this to mean that the public and private keys ( i.e. certificate/key ) is encrypted over the wire with RSA? Actual application ( for my example we will say application ) data is encoded into a message and then encrypted with a Message Digest? Which can be either MD5 or SHA-1 for RSA but only SHA-1 for DSS. Now this is where I get confused. RSA is also used like DH, in that it's used to negotiate a session key? Is that correct? So basically RSA does two things while DSS relies on DH to be complete?
Let me see if I can translate this cipher: EDH-DSS-DES-CBC3-SHA. I take this to mean that the session key is negotiated with Emperhal DH meaning it's randomly generated on one side and not known by both parties. It uses DSS for public key encryption, DES for the actual data stream. I don't know what CBC3 means. But the Message Digest is SHA. Now what's the difference between encypting with a message digest with SHA but encrypting the data with DES? I thought the message was the data.Also reading in Eric's book he says 1024-bit assymetric keys are about as strong as 80-bit symmertic keys. So why is assymetric used? I assume its because of performance. It would probably take to long if everything was encrypted with 3DES correct?
I do apologize for all these questions but I really want to learn SSL and in general Security and Cryptology inside and out but all the different encyptions are throwing me for a loop. I always just thought of cryptology in the terms of using RSA, DES or 3DES but I see there is a lot more to it.
THANKS!
- Andrew
-------------------------------------
Andrew T. Finnell
Software Engineer
eSecurity Inc
(321) 394-2485
***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator.