From: Laidlaw, Patrick A. (Patrick.Laidlaw@wwt.com)
Date: Fri Apr 13 2007 - 20:51:36 ART
CA | Peer A | Peer B | Hacker X
The CA signs both Peer A's certificate/public key and Peer B's
certificate/public key This prevents Hacker X from sending a fake
public key to peer A or B and disguising it as peer A or B's real public
key.
Without the CA Hacker X can intercept the transaction of public keys and
insert his own public keys giving him the ability to encrypt and decrypt
to peer a and peer b (known as man in the middle) Without the CA there
is no way to absolutely know the public key that your encrypting with
really is the intended peers key.
Patrick Laidlaw
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cacca Mucca
Sent: Friday, April 13, 2007 2:40 PM
To: Edward Norton
Cc: TAM; ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: digital certificate question
"why on earth we need to do all this certificate stuff if peerB can just
send out his public key (which is public anyway ) and depend on his own
private key that none can know about it ?"
Mathematicians exists for a reason and they've come up with formulas and
algorithms that make all this work like magic.
On 4/13/07, Edward Norton <doubleccie@yahoo.com> wrote:
>
> Ok folks ..i have read whatever posted so far about my question..all
> are about the private key portion which is hidden with peerB ..I know
> that peerC cannot go anywhere with "emulating " peerB certificate
> since he does not have the private key of peer B...that is all ok and
> understandable ..but why on earth we need to do all this certificate
> stuff if peerB can just send out his public key (which is public
> anyway ) and depend on his own private key that none can know about it
?
>
>
> ok in other words ..the whole point of certificate is origin
> authentication (peerA needs to check that peerB is actually peerB )
> ..it is not about decrytping whatever peerB sends because this is a
> stage will come after origin authentication
>
>
> in similarity to pre-shared keys ..digital certificate is similar to
> someone who come to know your preshared key which is used to
> authenticate the origin (not decrypt his messages) ....in similar
> fashion ..is not just getting the certificate of this origin is simply
> as if knowing his preshared key ??
>
> thanks :)
>
>
> TAM <auha84@dsl.pipex.com> wrote:
>
> I'll have a go at this, though after a few(...) beers things are
> starting to get hazy.
>
> Say Peer C gets the certificate, all it contains is PeerB's public key
> and the signature of the CA. That's fine for initiating communications
> with whomever Peer C wants, but what happens when Peer A (or any peer
> that Peer C attempts to communicate with) replies to Peer C? Peer
> A/other will encrypt it's reply with Peer C's (really B's) Public key,
> so the only node that can DEcrypt it is the owner of the B's Private
> key
> - namely B, and not Peer C. So Peer C may see data coming back from
> Peer A but it will be unable to decipher it.
>
> I'm sure someone can explain it a little better than this (and
> highlight the downside to writing emails while a little tipsy..)
>
> Thanks,
>
> TAM
>
>
> Edward Norton wrote:
> > Folks ;
> > I have spent some time reading and testing the point of using
> > digital
> certificate as a way of origin authentication with VPN peers , there
> is a question with bothers my theory understanding which is as follows
> >
> > if peerA wants to check that peerB is actually peerB , he would
> > request
> the digital certificate of peerB (which contains peerB Public key and
> the signature of the CA ) ...on peerA there are two ceritificates ,
> his own identity certificate and the certificate of the CA (which
> contains the public key of the CA and will validate the signature of
> peerB certificate )
> >
> > all that is ok , now the question is ..since peerB sends out his
> > digital
> certificate to anyone who request to authenticate with him..why not
> someone
> (peerC) gets this certificate ..install it and act as if he is peerB
??
> >
> >
> > i am sure i must be missing something here ...can someone explain
> > this
> >
> > thanks
> >
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > Ahhh...imagining that irresistible "new car" smell?
> > Check outnew cars at Yahoo! Autos.
> >
> >
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART