Originally posted by J Ash:
I agree with Robin, but I feel all a, c & d are mandatory in SSL handshaking. b can be avoided if server doesn't ask for a client authentication.
I found this on a google search - SSL Handshake - MSN
So whats correct the answer? Can some one help please?
Ian is correct IMHO. If you open the Netscape SSL
doc (check
http://www.javaranch.com/scealinks.jsp), you can see (chapter "Cipher Suites with RSA Key Exchange")that a possible algorithm selected in the handshake may be "No encryption, MD5 message authentication only". No key is generated in this case, since no encryption is necessary; perhaps MD5 needs a key
exchange (i don't know about that), but that is not for encryption ... MD5 means "Message Digest 5th version", a sort of hash function computed on the message to avoid tampering or substitution (i.e. loss of Integrity); a sort of "signature".
The doc on Microsoft Network just summarizes the usual steps performed in the 99% of the cases, not in all cases.
Anyway this question is very interesting because it remainds us of a truth about SSL, that is, that the encryption algorithm selected in the SSL handshake may be absolutely not sure (the weakest ones can be decoded relatively easily).
When I knew about that, I jumped to Amazon to verify the encryption algorithm they use. Fortunately, this is a strong 128-bit code, so no cracker can order books from my account ...
[ April 15, 2002: Message edited by: Alberto Dell'era ]