Susanne Kaufmann wrote:
No. The Certificate only contains the public part of the key. That's important.Hello,While experimenting with my apache webserver and Openssl, there came up some questions. At first, what i am doing actually:Actually I am using Client Authentication to identify and login to a website. But now I want to add the possibility to encrypt files with another users' public key.My question is: Is it possible to use a SSL-certificate as a private key?
E.g. the following scenario: There are two users, user A and user B. Both have a certificate to authenticate and login to site xyz.com . Now user A wants to upload a file to xyz.com, but it should be only for user B's eyes. So the file gets encrypted automatically by the server with user B's public key (all users public keys are on the server, too). Now, when user B logs on, and downloads the file, it gets automatically decrypted, using his private Key (inside his SSL-Cert).It won't work the way you describe it. Though the server can encrypt A's file for B using B's (!) certificate, it cannot decrypt it before B downloads it since it does not have B's private key. But it would be possible if B downloads the encrypted file and decrypts it himself. This might also be done by implementing a special client which is started by B and has access to B's private key (for example after asking B for the password).Thank you in advance for any suggestion,
But keep in mind that your scenario (letting the server do the encryption) does not help you if the server is already compromised at the time of the upload, though it protects the data if the server get compromised after the encryption is done (since the server can not decrypt the file it encrypted).
Susanne
Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
