Win a copy of Transfer Learning for Natural Language Processing (MEAP) this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Paul Clapham
  • Devaka Cooray
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Knute Snortum
  • Liutauras Vilda
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Piet Souris
Bartenders:
  • salvin francis
  • Carey Brown
  • Frits Walraven

HTTPS encryption

 
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello again! I've got a question about HTTPS encryption:

I've read about unilateral and bilateral authentication, it means:
Unilateral authentication: Only the server gives a certificate.
Biltareal authentication: Both client and server give their certificate.

In case of unilateral, does it mean too that only the client shows its public key? If it were so, the server couldn't encrypt its responses and every eavesdropper could read the data going from the server to the client. That can't be true, so, how does it work? Is it that server has to give a certificate and a public key but client only needs to give a public key? If it were so, server would never know the validity of client public key... yes, I know it's nothing so important anyway In fact what I'd like to be sure is what to answer in the SCEA5 part 1 exam.

Thanks!
 
Ranch Hand
Posts: 240
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
there are some introduction here:
http://java.boot.by/scea5-guide/ch08s02.html
 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Authentication and encryption are two different things. Even if neither party presents a certificate, public/private key pairs are generated and public keys are exchanged as part of the SSL handshake, so the entire conversation is still encrypted. If the client does not have a certificate, the identity of the client has to be established in a different way - usually a username/password. These credentials are still transmitted via HTTPS. Most often the HTTPS server has a certificate since it is easier and cheaper to obtain and maintain one on the server machine. A client certificate would have to be installed/uninstalled on each client machine, renewed regularly, revoked if stolen, etc. Which is why in practice it's only done in highly controlled environments where security is of utmost importance, such as military, other government, big financial corporations, etc.
 
Antonio Fornie
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you all very much! Really came in handy!!
 
Ranch Hand
Posts: 256
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Nice discussion...

Cheers!
Prathap.
 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would recommend you to read "SSL & TLS Essentials: Securing the Web". Its an excellent book explaining SSL.
 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A very good explanation
 
This tiny ad will self destruct in five seconds.
the value of filler advertising in 2020
https://coderanch.com/t/730886/filler-advertising
    Bookmark Topic Watch Topic
  • New Topic