• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

why the answer is not c?

 
Win Yu
Ranch Hand
Posts: 224
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
2. Which of the following is not an optional step in establishing an SSL handshake?
a. Server side certificate validation by the client
b. client side certificate validation by the server
c. Generation of session keys for encryption and decryption
d. Selection of a suitable Cipher suite for encryption by the server and the client
 
Robin Zhang
Ranch Hand
Posts: 139
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
c. Generation of session keys for encryption and decryption
c: definitely not the optional step,that is how they exchage message. Am I correct?
 
Ashok Mash
Ranch Hand
Posts: 1936
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I agree with Robin, but I feel all a, c & d are mandatory in SSL handshaking. b can be avoided if server doesn't ask for a client authentication.
I found this on a google search - SSL Handshake - MSN
So whats correct the answer? Can some one help please?
 
Alberto Dell'Era
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by J Ash:
I agree with Robin, but I feel all a, c & d are mandatory in SSL handshaking. b can be avoided if server doesn't ask for a client authentication.
I found this on a google search - SSL Handshake - MSN
So whats correct the answer? Can some one help please?

Ian is correct IMHO. If you open the Netscape SSL doc (check http://www.javaranch.com/scealinks.jsp), you can see (chapter "Cipher Suites with RSA Key Exchange")that a possible algorithm selected in the handshake may be "No encryption, MD5 message authentication only". No key is generated in this case, since no encryption is necessary; perhaps MD5 needs a key exchange (i don't know about that), but that is not for encryption ... MD5 means "Message Digest 5th version", a sort of hash function computed on the message to avoid tampering or substitution (i.e. loss of Integrity); a sort of "signature".
The doc on Microsoft Network just summarizes the usual steps performed in the 99% of the cases, not in all cases.
Anyway this question is very interesting because it remainds us of a truth about SSL, that is, that the encryption algorithm selected in the SSL handshake may be absolutely not sure (the weakest ones can be decoded relatively easily).
When I knew about that, I jumped to Amazon to verify the encryption algorithm they use. Fortunately, this is a strong 128-bit code, so no cracker can order books from my account ...
[ April 15, 2002: Message edited by: Alberto Dell'era ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic