On 12-05-2013 09:59, [email protected] wrote:
Hi folks! I'm a newbie and I'd like understand know a thing:
I create a certificate and put it to my apache web server
openssl req -x509 -days 365 -newkey rsa:4096 -keyout apache.key -out
apache.crt
everything works perfectly.
The question: using firefox I see:
Techinical Details
Connection encrypted: high-grade encryption (aes-256, 256 bit keys)
Why aes256, 256 bit keys if my certificate is rsa:4096?
Since shortly after the invention of public key cryptography in the late
1970s,the preferred way to use it is to use public key algorithms (such
as RSA) to negotiate some random symmetric key cryptography keys which
the public key cryptography ensures will only be known by those with the
private keys matching the public keys used. Then the actual
transmission is secured with those keys.
So in your example, the 4096 bit RSA key in apache.key was used to
negotiate (for each new connection from Firefox) a set of two 256 bit
AES keys (one for send, one for receive) and a similar set of two HMAC
anti-tampering keys. Those 4 keys were then used to secure the
transmission, using complex security engineering designs to ensure
that (as far as we know) only someone with access to either the
apache.key that matches the public key in apache.crt OR with access to
the innards of your running Firefox process will be able to see and/or
change the transmission.
The security questions about adding exceptions are about making sure the
copy of apache.crt received by Firefox is the real one, and not one
someone else made up and installed on a wiretapping/virus infecting/
credit card stealing/otherwise evil machine. Because all the crypto in
the world will not help you if the key belongs to the wrong person.
Because it is inhumanly difficult for everyone to keep track of and
personally double check the public keys of every secure website they
will ever visit, we pay specialist companies called CAs to do this for
us, and then we only need to keep track of the public keys of the CAs.
But because there are now so many CAs around (most of them only checking
public keys from just one country, where they work with government
records), we pay the web browser manufacturers (Mozilla, Google, Apple,
Opera and Microsoft plus a few others) to keep track of the CAs public
keys and include those in the signed browser downloads.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
