Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Buying over internet using SSL

 
J Gupta
Ranch Hand
Posts: 30
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am not sure I am getting this right, but following I how I understand most of the websites operate. Can you guys please validate if I am wrong somewhere


1.A merchant generates a pair of private and public key
2.The Merchant sends the public key to CA in order to sign
3.CA after verification provides a digital certificate to merchant ( via email)
4.The Merchant install digital certificate, public key and private key in the http:// (HTTP over SSL) web application. Assumed merchant�s private is kept secure
5.A buyer points their browser to merchant�s secure web app and get merchants public key
6.The browser at buyer machine validates merchant�s digital certificate using CA public key , if there is an issue with certificate it warn user, issues could be such as certificate expired or could not be validated etc
7.The browser encrypts a symmetric key using merchant�s public key
8.Merchant decrypts buyers symmetric key using its private key
9.Merchant and buyer are communicating securely using this symmetric key exchanged
 
Ulf Dittmer
Rancher
Posts: 42969
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, that's pretty much how it works.
 
P Das
Ranch Hand
Posts: 123
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Why is that the buyer has to use a symmetric key? Isn't merchant's public key enough to encrypt what she wants to send?

Also, is it a possibility that the buyer uses her own private key (self generated or CA-verified) to further encrypt data, while sending her public key to the merchant?

In both cases the scenario is same as what was mentioned.

Regards,
 
P Das
Ranch Hand
Posts: 123
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Sorry, I overlooked SSL.

What I mentioned is in the context of HTTP.

Regards,
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic