Results 1 to 3 of 3

Thread: Key Authentication

  1. #1
    Join Date
    Jun 2002

    Key Authentication

    Just a question i have.

    How does key authentication provide host "and" user authentication? How does it exactly work? (some links would be good)

    Thanks guys,

  2. #2
    Senior Member
    Join Date
    Jul 2003

    its just like a checksum I think, you basically have your key that you feed in and you could match up the checksum of this with one stored on your computer.

    or you could have something similar to that you do with encryption, you feed it the key it then uses the public key to turn something into plain text or it could remain cipher text, thus allowing it to be checked and authenicated.

    think about it, what does a real key do in real life on your front door?


  3. #3
    Senior Member
    Join Date
    Jan 2002
    The client knows that the server is who it says it is, because it has the private key corresponding to the public key in a certificate signed by a trusted third party (i.e. for HTTPS, a certfication authority).

    Client certificates can be signed in the same manner, and provide secure authentication in the other direction.

    Each party has a private key and public key - their public key is embedded in a signed certificate. The protocol is such that it is difficult for someone without the private key to impersonate them (For difficult, read: as difficult as brute-forcing the private key).


    Some SSL setups, for example, SSH, rely more on individually trusted public keys than a central CA. So the client and/or server, keeps a list of trusted public keys, and anyone who has the private key which goes with the public key, is let in.


    The basis of the entire system, is that the public/private keys are asymmetric, i.e. if you encrypt something with one, it must be decrypted with the other. So if A wants to know that B is who they say they are, they encrypt something with B's public key, and B needs their private key to decrypt it. Or vice versa. B encrypts something with their own private key, and anyone with their public key can decrypt it, thus proving that it must have been encrypted by someone in posession of B's private key.

    SSL systems normally use a symmetric cipher for the actual encryption though, with a randomly selected session key which is sent securely at the beginning of the session.

    Symmetric encryption is much quicker than asymmetric, so it's usually used for large amounts of data.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts