From: Edward Norton (doubleccie@yahoo.com)
Date: Sat Apr 14 2007 - 04:03:02 ART
Ok guys ..thanks to all the posts ..they were very informative
i think two important notes i got from you guys , first none can claim he is peerB unless he is actually using peerB certificate ..since it has to be signed by the CA ..this will stop someone just come and exchange public keys and communicating with peerA
the second point is that some encryption and decryption has to be done before peerA accepts peerB as authenticated ..that will make peerA sure the peerB (who send out the cert) has the private key of this certificate .
thanks to all
"M. Mohan" <mmsundar@yahoo.com> wrote:
Edward,
Authentication is NOT complete unless both the peers
are able to encrypt and decrypt a "piece-of-data"
using the public-private key pairs.
OK, peer C can say I am B, but A will have to
challenge that by encrypting a piece-of-data to make
sure that C indeed has the private key of the
corresponding public key that was in the certificate.
Unbtil then, it does not believe that B is indeed B.
As far as I know, Digital Certificate simply answers
one question. Does this public key belong to this
entity? yes or no. This is answered by CA, who A
trusts. Without CA, anyone can genereate a cert and
present it to the other peer, but based on what the
other peer will trust this cert. That is why we have
CA.
Can anyone answer in a better way?
Thank you,
Mohan
--- Edward Norton wrote:
> Ok folks ..i have read whatever posted so far about
> my question..all are about the private key portion
> which is hidden with peerB ..I know that peerC
> cannot go anywhere with "emulating " peerB
> certificate since he does not have the private key
> of peer B...that is all ok and understandable ..but
> why on earth we need to do all this certificate
> stuff if peerB can just send out his public key
> (which is public anyway ) and depend on his own
> private key that none can know about it ?
>
>
> ok in other words ..the whole point of certificate
> is origin authentication (peerA needs to check that
> peerB is actually peerB ) ..it is not about
> decrytping whatever peerB sends because this is a
> stage will come after origin authentication
>
>
> in similarity to pre-shared keys ..digital
> certificate is similar to someone who come to know
> your preshared key which is used to authenticate the
> origin (not decrypt his messages) ....in similar
> fashion ..is not just getting the certificate of
> this origin is simply as if knowing his preshared
> key ??
>
> thanks :)
>
>
> TAM wrote:
>
> I'll have a go at this, though after a few(...)
> beers things are
> starting to get hazy.
>
> Say Peer C gets the certificate, all it contains is
> PeerB's public key
> and the signature of the CA. That's fine for
> initiating communications
> with whomever Peer C wants, but what happens when
> Peer A (or any peer
> that Peer C attempts to communicate with) replies to
> Peer C? Peer
> A/other will encrypt it's reply with Peer C's
> (really B's) Public key,
> so the only node that can DEcrypt it is the owner of
> the B's Private key
> - namely B, and not Peer C. So Peer C may see data
> coming back from
> Peer A but it will be unable to decipher it.
>
> I'm sure someone can explain it a little better than
> this (and highlight
> the downside to writing emails while a little
> tipsy..)
>
> Thanks,
>
> TAM
>
>
> Edward Norton wrote:
> > Folks ;
> > I have spent some time reading and testing the
> point of using digital certificate as a way of
> origin authentication with VPN peers , there is a
> question with bothers my theory understanding which
> is as follows
> >
> > if peerA wants to check that peerB is actually
> peerB , he would request the digital certificate of
> peerB (which contains peerB Public key and the
> signature of the CA ) ...on peerA there are two
> ceritificates , his own identity certificate and the
> certificate of the CA (which contains the public key
> of the CA and will validate the signature of peerB
> certificate )
> >
> > all that is ok , now the question is ..since peerB
> sends out his digital certificate to anyone who
> request to authenticate with him..why not someone
> (peerC) gets this certificate ..install it and act
> as if he is peerB ??
> >
> >
> > i am sure i must be missing something here ...can
> someone explain this
> >
> > thanks
> >
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > Ahhh...imagining that irresistible "new car"
> smell?
> > Check outnew cars at Yahoo! Autos.
> >
> >
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
>
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART