On Sat January 7 2012, Manish Jain wrote: > > Hi, > > I am new to OpenSSL and am trying to prepare some illustrative > documentation on how it works. > > AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a > private key which is never communicated to any other host, and the other > is a public key which is transmitted to the peer (the other party). The > client uses the public key of the server (contained in the server's > certificate) to encrypt its communication, which can only be decrypted > with the server's private key. Please correct me if I am wrong. >
That is the essence of what happens and by that the client knows that it is communicating with the server it intended to reach (authentication). > Now the question is : when the server sends data to the client, what key > does it use for encryption ? > The general answer is: The client and server establish a shared key for that propose early in the protocol. > Does the client communicate its public key > to the server (at some initial stage) which the server uses for > encryption ? > If the communications set up between the two requires client authentication. In many cases the client remains a stranger to the server (un-authenticated). > If yes, what if the client does not have a pair of > public/private keys ? > The usual case for public web browsing using https and some other protocols. The client remains a stranger to the server. > The question arises because it does not seem logical that the server > would its private key for encrypting data to be sent to the client. > Else, snoopers who might have picked the public key could decrypt the > data too. > There is an early stage in nearly all protocols, called: key agreement where the client and server agree on a key without exchanging any of the 'private' information that it is based on. > Any help on clearing up the above points would be greatly appreciated. > My comments above are at a very general level. If the process was as simple as my answers, OpenSSL would not be as large a body of code as it is. ;-) Mike > > Thank you & > Regards > > Manish Jain > invalid.poin...@gmail.com > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
