Hi, I was wondering: normally a SSL encrypted connection is established by first authenticating client and server by a thrusted third party (CA). For HTTPS connection, this is common. But Java for examples offers the SSLServerSocket and SSLSocket to establish a secure connection between client and server. I assume that in this situation there is no CA. Does a SSL connection without authentication using a CA, still makes a SSL connection? In other words: does a SSL connection makes a SSL connection, because it is an encrypted connection? Thanks! Jeroen
It's been a while since I looked at the SSL spec, but IIRC, the issue is as follows. Certificates are about authentication. They're like a drivers license (ID) for computers, used to identity one entity to another. I can claim to be "Barry Covensworth" and how do you know I'm not? But when I claim to be "Mark Herschberg" you can trust me in so much as you can trust MIT, who gave me a certificate saying "MIT says, this is Mark Herschberg." Basically, how much you trust a person depends on how much you trust a CA. Now suppose Alice and Bob want to talk. They don't have certificates, but they don't really care. Alice is pretty sure that that is Bob is visa versa. They're willing to risk having the wrong identity. What they're not willing to risk is having Mallory listen in, so they still need security. Think of it as talking to someone on the phone, using an ecrypted phone line. Alice dials Bob's number. It's probably Bob, but it could also be Bob's wife, or a friend who came over, or possible even a burgler who came in. Still, Alice is confident enough that it's Bob, and it may cost too much to confirm it, that she's willing to "take the word of the other party" that it is Bob. So the identities aren't fully estbalished. However, the phone line is encrypted, and so they can talk safely. In SSL, only one party needs to have a public key, usually contained within a certificate. the party initiating the call does not need one. Does that help? --Mark
Hi Mark, Your explanation was indeed very good. I have got one doubt. Where does mutual authetication come into picture in SSL? Is it an additional feature or is it a part of SSL protocol? The reason being that in your example: Assuming it is indeed Bob who picked up the phone how does he ensure that it is only Alice who has called and not some telemarketing person who needs to talk to Bob over a secured line. (My imaginaion went wild!!) So, for Bob to know that he is indeed talking to Alice, do we need to do anything special (say some java code) to incorporate mutual authentication or does it come bundled up with the protocol? Excuse me for this basic question but I am just trying to get my funds clear, as I am a rookie to SSL communication Thanks in advance, Ganapathi
Joined: Dec 04, 2000
Originally posted by Ganapathi Srinivasan:
Where does mutual authetication come into picture in SSL? Is it an additional feature or is it a part of SSL protocol? The reason being that in your example: Assuming it is indeed Bob who picked up the phone how does he ensure that it is only Alice who has called and not some telemarketing person who needs to talk to Bob over a secured line. (My imaginaion went wild!!)
Yes, that is mutual athentication and it is an optional feature of SSL. If it wasn't optional that means that everyone would need a certificate prior to using SSL. --Mark
I have a follow up question on this. Appreciate any help on this. I am new to SSL, what I understand about SSL is it provides confidentiality, integrity and authentication. From the above posts it is clear that Authentication is achieved by configuring certificates. How is confidentiality and integrity achieved. We have a requirement to use SSL in an authenticated space, we have decided to not to use certificates. We use SSLC library.