File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes SSL authentication without CA Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "SSL authentication without CA" Watch "SSL authentication without CA" New topic
Author

SSL authentication without CA

J.H.B. Oosterlaar
Ranch Hand

Joined: Sep 12, 2002
Posts: 41
Hi,
I was wondering: normally a SSL encrypted connection is established by first authenticating client and server by a thrusted third party (CA). For HTTPS connection, this is common.
But Java for examples offers the SSLServerSocket and SSLSocket to establish a secure connection between client and server. I assume that in this situation there is no CA.
Does a SSL connection without authentication using a CA, still makes a SSL connection? In other words: does a SSL connection makes a SSL connection, because it is an encrypted connection?
Thanks!
Jeroen
Mark Herschberg
Sheriff

Joined: Dec 04, 2000
Posts: 6037
It's been a while since I looked at the SSL spec, but IIRC, the issue is as follows.
Certificates are about authentication. They're like a drivers license (ID) for computers, used to identity one entity to another. I can claim to be "Barry Covensworth" and how do you know I'm not? But when I claim to be "Mark Herschberg" you can trust me in so much as you can trust MIT, who gave me a certificate saying "MIT says, this is Mark Herschberg." Basically, how much you trust a person depends on how much you trust a CA.
Now suppose Alice and Bob want to talk. They don't have certificates, but they don't really care. Alice is pretty sure that that is Bob is visa versa. They're willing to risk having the wrong identity. What they're not willing to risk is having Mallory listen in, so they still need security. Think of it as talking to someone on the phone, using an ecrypted phone line. Alice dials Bob's number. It's probably Bob, but it could also be Bob's wife, or a friend who came over, or possible even a burgler who came in. Still, Alice is confident enough that it's Bob, and it may cost too much to confirm it, that she's willing to "take the word of the other party" that it is Bob. So the identities aren't fully estbalished. However, the phone line is encrypted, and so they can talk safely.
In SSL, only one party needs to have a public key, usually contained within a certificate. the party initiating the call does not need one.
Does that help?
--Mark
Ganapathi Srinivasan
Greenhorn

Joined: Jan 17, 2003
Posts: 11
Hi Mark,
Your explanation was indeed very good.
I have got one doubt.
Where does mutual authetication come into picture in SSL? Is it an additional feature or is it a part of SSL protocol?
The reason being that in your example:
Assuming it is indeed Bob who picked up the phone how does he ensure that it is only Alice who has called and not some telemarketing person who needs to talk to Bob over a secured line. (My imaginaion went wild!!)
So, for Bob to know that he is indeed talking to Alice, do we need to do anything special (say some java code) to incorporate mutual authentication or does it come bundled up with the protocol?
Excuse me for this basic question but I am just trying to get my funds clear, as I am a rookie to SSL communication
Thanks in advance,
Ganapathi
Mark Herschberg
Sheriff

Joined: Dec 04, 2000
Posts: 6037
Originally posted by Ganapathi Srinivasan:

Where does mutual authetication come into picture in SSL? Is it an additional feature or is it a part of SSL protocol?
The reason being that in your example:
Assuming it is indeed Bob who picked up the phone how does he ensure that it is only Alice who has called and not some telemarketing person who needs to talk to Bob over a secured line. (My imaginaion went wild!!)

Yes, that is mutual athentication and it is an optional feature of SSL. If it wasn't optional that means that everyone would need a certificate prior to using SSL.
--Mark
archana patil
Greenhorn

Joined: Jul 31, 2004
Posts: 1
I have a follow up question on this. Appreciate any help on this. I am new to SSL, what I understand about SSL is it provides confidentiality, integrity and authentication. From the above posts it is clear that Authentication is achieved by configuring certificates. How is confidentiality and integrity achieved. We have a requirement to use SSL in an authenticated space, we have decided to not to use certificates. We use SSLC library.

thanks
 
jQuery in Action, 2nd edition
 
subject: SSL authentication without CA
 
Similar Threads
Basic Authenication with SSL?
login/password question
SSL without Server Authentication
Only [auth-method] FORM use session tracking ?