File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Architect Certification (SCEA/OCMJEA) and the fly likes SSL question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Architect Certification (SCEA/OCMJEA)
Bookmark "SSL question" Watch "SSL question" New topic
Author

SSL question

Zhixiong Pan
Ranch Hand

Joined: Jan 25, 2006
Posts: 239
Hi all,

Please help to answer below question, thanks.

Which of the following are mandatory steps in the SSL handshake?

A Validate Client to Server

B Validate Server to Client

C Allow client and server to choose cryptographic algorithm

D Use symmetric key encryption to generate shared secrets


SCJP 1.4 SCJD
J J Wright
Ranch Hand

Joined: Jul 02, 2008
Posts: 254
There's a relatively brief Introduction to SSL on the Sun site.


SCJP, SCWCD, SCBCD, SCEA 5
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
Please QuoteYourSources.


Ping & DNS - my free Android networking tools app
jeff mutonho
Ranch Hand

Joined: Apr 30, 2003
Posts: 271
Ulf Dittmer wrote:Please QuoteYourSources.


It's from the practice questions at http://www.geekinterview.com/question_details/9683
Rahul Mishra
Ranch Hand

Joined: Jan 22, 2006
Posts: 211
Just looked up this thread on geek interview..and found that there was no explanation..so decided to add my 2 cents.

(a) is wrong because a client must be validated by the server only if there is mutual authentication . Mutual authentication is not mandated by SSL but it adds an extra level of security.

(b) is correct and is a key feature of a SSL handshake

(c) is correct as negotiating on a cryptographic algorithm is one of the key features of an SSL handshake. Typically the client tells the server the algorithms it can support and the server responds by choosing an algorithm (the strongest algorithm that they both can support)

(d) is dicey but incorrect. Using a symmetric key to generate shared secrets does not make much sense (in my opinion). Shared secrets are typically generated by asymmetric keys (public,private) . If both parties had a symmetric key they would not need to generate a shared secret...and could directly use the symmetric key for encyption/decryption. Due to the problems involved in the distribution of secret keys parties involved in SSL tend to derive the shared secret from assymetric keys (using Diffie Helman algorithm or the likes - because of the mathematical nature of the algorithm both parties end up generating the same shared key even if they start with asymmetric keys)..

Hope that made sense..

Thanks


OCMJEA/SCEA, SCDJWS, SCBCD 1.3, SCJP 1.4
My SCEA experience:http://javalogue.blogspot.com/
 
Consider Paul's rocket mass heater.
 
subject: SSL question
 
Similar Threads
2 technical questions for the techies
Java service and c# client https
ibm 340: question about SSL
Usage of FORM login-config
Only [auth-method] FORM use session tracking ?