• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

HTTPS encryption

 
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello again! I've got a question about HTTPS encryption:

I've read about unilateral and bilateral authentication, it means:
Unilateral authentication: Only the server gives a certificate.
Biltareal authentication: Both client and server give their certificate.

In case of unilateral, does it mean too that only the client shows its public key? If it were so, the server couldn't encrypt its responses and every eavesdropper could read the data going from the server to the client. That can't be true, so, how does it work? Is it that server has to give a certificate and a public key but client only needs to give a public key? If it were so, server would never know the validity of client public key... yes, I know it's nothing so important anyway In fact what I'd like to be sure is what to answer in the SCEA5 part 1 exam.

Thanks!
 
Ranch Hand
Posts: 240
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
there are some introduction here:
http://java.boot.by/scea5-guide/ch08s02.html
 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Authentication and encryption are two different things. Even if neither party presents a certificate, public/private key pairs are generated and public keys are exchanged as part of the SSL handshake, so the entire conversation is still encrypted. If the client does not have a certificate, the identity of the client has to be established in a different way - usually a username/password. These credentials are still transmitted via HTTPS. Most often the HTTPS server has a certificate since it is easier and cheaper to obtain and maintain one on the server machine. A client certificate would have to be installed/uninstalled on each client machine, renewed regularly, revoked if stolen, etc. Which is why in practice it's only done in highly controlled environments where security is of utmost importance, such as military, other government, big financial corporations, etc.
 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you all very much! Really came in handy!!
 
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nice discussion...

Cheers!
Prathap.
 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would recommend you to read "SSL & TLS Essentials: Securing the Web". Its an excellent book explaining SSL.
 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A very good explanation
 
Your buns are mine! But you can have this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic