Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Public/Private key security

I'm starting to prepare for the CCNA Security exam. While reviewing a PDF document of the presentation on this certification from this year Cisco Live conference, the following was said on page 19:

1.) A private key is a key which is known to the person (or system) that owns it.

2.) Public key is known to everyone, but still belongs to a unique individual.

3.) Data encrypted by the public key can only be decrypted by the private key. (Provides confidentiality)

4. Data encrypted by the private key can only get decrypted using the public key. (Provides authenticity)

Ok, lets take a web application that is secured via SSL with a certificate issue by a trusted root provider. Any data encrypted by the client using the public key is pretty safe, because the web server should be the only system with the private key. Lets assume that confidential information is being displayed on the client's browser. This was encrypted by the private key, and theoretically, could be decrypted by anyone if they intercepted the public key being sent to the client. Is this correct?

My concern would be that if someone, lets says, hacked one of our client's wireless network, they could get copies of all of the data being sent from the web application we host to the client, and decrypt that information pretty easily, being able to see the HTML code and any sensitive information that it contains.

This situation is not a MITM attack, but someone just easedropping. Is the only way to 100% protect that traffic is to have mutual authentication using certificates on each side?

4 REPLIES
Hall of Fame Super Blue

Re: Public/Private key security

Couple of things.

Data is generally not encrypted using public/private keys because it is too computationally expensive. The public and private keys are used to encrypt and securely exhange a symmetric key which is then used for encrypting and decrypting the data.

When a user logs onto an SSL site they receive the public key of the website. They (as in their browser) then generates a symmetric key and encrypts this key with the public key of the website. When the website receives this it can then decrypt the symmetric key with it's private key because the symmetric key was encrypted with it's public key.

Now both parties have a secure symmetric key which they can use to encrypt and decrypt the data. So if a person could get hold of the encrypted data in transport they could not decrypt it because they don't have the symmetric key.

The real weakness of a public/private key system is that at some level there must be an acceptance of trust. So Certificate Authorities such as Verisign certify other companies certificates but who certifies Verisign ? And that is where there must be some level of trust ie. we all trust Verisign.

Hope this makes sense.

Jon

New Member

Re: Public/Private key security

Yes it does. Thank you for clarifying!

So the client generates a random key for each SSL session it establishes to a secured site?

Hall of Fame Super Blue

Re: Public/Private key security

No problem, glad to help.

Yes a random key is generated for each SSL session with a particular website.

Note that the public/private keys are still used to authenticate which website you are connecting to be. This is done before the symmetric key generation. It can be either just website authentication or website and client authentication.

Jon

New Member

Re: Public/Private key security

Thanks. That makes perfect sense that the client is responsible for generating the symmetric key. Unless someone has a copy of the web server's private key, they should not be able to gain access to the shared key.

This is probably out-of-scope for the CCNA Security, but we are in the middle of deploying a web based application, which will have access to sensitve information, and I wanted to make certain that this information is safe.

Thanks again for your help!

234
Views
0
Helpful
4
Replies
CreatePlease login to create content