Edward Diener <el...@tropicsoft.com> writes:
[...]
> In this last case I do not understand how the client can encrypt
> data going to the server if it has no private key of its own.
Each combination of algorithms that can be used when only one party
has a key must provide some way to do this.
When RSA is used and only one party has a private key, the party
without the key (usually the client) generates a secret, then sends it
to the server using its public key. The client knows the secret
because it made it up. The server knows the secret because it can
decrypt it with its private key. But an observer cannot figure out
the secret, so it is secure. This secret is used as part of the key
generation process, and the generated key can be used with a
conventional symmetric cipher (like DES or AES) to communicate
securely.
Alternately, the Diffie-Hellman(-Merkle) key-exchange protocol can be
used to establish a shared secret. See the Wikipedia entry:
http://en.wikipedia.org/wiki/Diffie-Hellman
These are the two most commonly used ways.
[...]
> For what books do I look to specifically understand how these
> certificates work with public key-private key pairs ? SSL books ?
> Cryptography public key-private key books ?
For a general understanding of cryptography, I learned from Bruce
Schneier's "Applied Cryptography". That provided enough basic
background information to get me by for a number of years. Recently
I'm having to understand more of the details, and I'm reading Eric
Rescorla's "SSL and TLS: Designing and Building Secure Systems" to
learn about the SSL protocol, and the O'Reilly book "Network Security
with OpenSSL" to learn about the OpenSSL library and its API.
Hope that helps!
----Scott.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
