Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HTTPS encryption

 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello again! I've got a question about HTTPS encryption:

I've read about unilateral and bilateral authentication, it means:
Unilateral authentication: Only the server gives a certificate.
Biltareal authentication: Both client and server give their certificate.

In case of unilateral, does it mean too that only the client shows its public key? If it were so, the server couldn't encrypt its responses and every eavesdropper could read the data going from the server to the client. That can't be true, so, how does it work? Is it that server has to give a certificate and a public key but client only needs to give a public key? If it were so, server would never know the validity of client public key... yes, I know it's nothing so important anyway In fact what I'd like to be sure is what to answer in the SCEA5 part 1 exam.

Thanks!
 
Bigwood Liu
Ranch Hand
Posts: 240
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
there are some introduction here:
http://java.boot.by/scea5-guide/ch08s02.html
 
Drago Z Kamenov
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Authentication and encryption are two different things. Even if neither party presents a certificate, public/private key pairs are generated and public keys are exchanged as part of the SSL handshake, so the entire conversation is still encrypted. If the client does not have a certificate, the identity of the client has to be established in a different way - usually a username/password. These credentials are still transmitted via HTTPS. Most often the HTTPS server has a certificate since it is easier and cheaper to obtain and maintain one on the server machine. A client certificate would have to be installed/uninstalled on each client machine, renewed regularly, revoked if stolen, etc. Which is why in practice it's only done in highly controlled environments where security is of utmost importance, such as military, other government, big financial corporations, etc.
 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you all very much! Really came in handy!!
 
prathap venkata naga yelugula
Ranch Hand
Posts: 254
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nice discussion...

Cheers!
Prathap.
 
Pradip Bhattacharya
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would recommend you to read "SSL & TLS Essentials: Securing the Web". Its an excellent book explaining SSL.
 
Sabarish Varma
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A very good explanation
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic