September 9th, 2004, 07:05 AM
Just a question i have.
How does key authentication provide host "and" user authentication? How does it exactly work? (some links would be good)
September 9th, 2004, 08:23 AM
its just like a checksum I think, you basically have your key that you feed in and you could match up the checksum of this with one stored on your computer.
or you could have something similar to that you do with encryption, you feed it the key it then uses the public key to turn something into plain text or it could remain cipher text, thus allowing it to be checked and authenicated.
think about it, what does a real key do in real life on your front door?
September 9th, 2004, 10:36 AM
The client knows that the server is who it says it is, because it has the private key corresponding to the public key in a certificate signed by a trusted third party (i.e. for HTTPS, a certfication authority).
Client certificates can be signed in the same manner, and provide secure authentication in the other direction.
Each party has a private key and public key - their public key is embedded in a signed certificate. The protocol is such that it is difficult for someone without the private key to impersonate them (For difficult, read: as difficult as brute-forcing the private key).
Some SSL setups, for example, SSH, rely more on individually trusted public keys than a central CA. So the client and/or server, keeps a list of trusted public keys, and anyone who has the private key which goes with the public key, is let in.
The basis of the entire system, is that the public/private keys are asymmetric, i.e. if you encrypt something with one, it must be decrypted with the other. So if A wants to know that B is who they say they are, they encrypt something with B's public key, and B needs their private key to decrypt it. Or vice versa. B encrypts something with their own private key, and anyone with their public key can decrypt it, thus proving that it must have been encrypted by someone in posession of B's private key.
SSL systems normally use a symmetric cipher for the actual encryption though, with a randomly selected session key which is sent securely at the beginning of the session.
Symmetric encryption is much quicker than asymmetric, so it's usually used for large amounts of data.