As per my understanding, using public key cryptography for encryption is much more expensive than using symmetric key cryptography. So generally the main communication is encrypted using symmetric key cryptography, whereas public key cryptography is used to exchange keys and other information that will be used for symmetric key cryptography. Secondly, if someone manages to guess/retrieve the key used for symmetric key cryptography, s/he can only decrypt the current session. As new session keys are generated every time, the other communications are still safe.
HTH. Group, Please correct me if I am wrong. ~ Urjit ----- Original Message ----- From: jackie jackie To: openssl-users@openssl.org Sent: Saturday, June 23, 2007 3:50 AM Subject: RSA and DH Hi, I am a newbie to SSL as well as RSA security etc. However read quite a bit of books and on the net. But one thing flew over my head. Pl. see if any can help me understand the following. Suppose server and client used RSA based private/public key pairs. I understood that these would be used to authenticate each other. Leaving DSA totally aside, considering only RSA alone, I did not fully understand what DH params are being used for in such communication. There is some explanation about DH params need in terms of key exchange etc, but did not follow. Looked around quite a bit, but not found a clear/direct answer. The article at http://support.microsoft.com/kb/257591 tries to explain somewhat but is at very high level and does not even mention DH params by name at all. My vague understanding is that, though RSA based private/public key pair is useful for authentication, but there still appears to be a need to generate (symmetric ones ?) some keys for encryption on a session by session basis. It appears that either temporary RSA keys (not used it seems to due to some security violations. OK , fine) and DH params can be used. This is thing went over my head. I did not understand - why is there a need for generating session to session keys DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails.
