Why is there a SMTP/HTTP Protocol? I mean, why can't we use (or extend) the existing SSH protocol? Wouldn't using SSH also eliminate the need for a paid key?
Or, perhaps another why to frame this question is why do we need yet another encryption scheme?
There are different protocols for different purposes. What I'm hearing here really is 'why do we need to pay for an SSL certificate in HTTPS but not SSH'.
The reason for this is as follows:
When you first connect to a SSH server, you as the person logging in are asked to validate the public key. Do you read it and recognize the code before you accept it?
Imagine if this were needed the first time you connect to any HTTPS server. We can't ask users to validate every public key manually. How would they recognize what a public key is the correct one?
We solve this by relying on other authorities to validate the keys. These authorities don't just sell SSL certificate, their product really is validating that the person owning the domain is the one encrypting it.
So you can totally generate your own self-signed SSL certificates, but browsers won't recognize these by default. Browsers and operating system have a database of certificates they trust.
Anyway, these days you no longer need to pay for a certificate. LetsEncrypt gives them away for free.
We are sending some date from one system to another system (outside network). The data will be transferred over SFTP. Some the data is sensitive.
I was told that since we are sending it over SFTP, we don't need to encrypt the data. As per my understanding even if we are sending data over SFTP, we should encrypt it.
I want to know if it's true that we don't need to encrypt data if we are sending over SFTP?
SFTP uses SSH as the underlying protocol. SSH handles encryption for you. Provided the SSH connection is secured well (e.g. using a private key) and you trust the system you are communicating with, you don't need to implement any further encryption.
I have a question in MTA (Microsoft Technology Associate) Mobility and I want the answer to it please
The Question :
a client/server application is designed to use public/private key cryptography for secure communication between client and server , The certificate is installed on the server
when the client send message to the server which key does it use to encrypt the message ?
A)The client's private key
B)The client's public key
C)The server's private key
D)The server's public key
D. The Client uses the server's public key to encrypt the message it wants to send to the Server. The Server can then use its private key to decrypt the message that it was sent, because it was encrypted using that server's public key.
More info about Public Cryptography here.
I'm trying to figure out the best approach to utilize the self hosted hub in SignalR with encryption. Specifically I don't want to allow packet sniffer to occur an see the function calls in plain text. I know there are approaches to utilize IIS type encryption if hosting through IIS, but we require a self hosted solution.
Are there any suggestions or people that have gone down this route?
Is there a way to self host an encrypted hub?
Otherwise an initial idea was to encrypt / decrypt the JSON object that is passing through the function calls? But you still packet sniff the function calls...
Is it possible to self host utilizing SSL?
How would a client connect?
Any suggestions?
Thanks!
Mike
Best practice would be to use SSL as well as groups. No one will be able to sniff the packets unless they belong to that group. Beyond that, encrypting json would have to be done by SignalR framework itself, which is currently not available as far as I know.
This question already has answers here:
How does browser generate symmetric key during SSL handshake
(2 answers)
Closed 2 years ago.
First, some quotation from Microsoft TechNet's Managing Microsoft Certificate Services and SSL:
To recap, secure SSL sessions are established using the following technique:
The user's Web browser contacts the server using a secure URL.
The IIS server sends the browser its public key and server certificate.
The client and server negotiate the level of encryption to use for the
secure communications.
The client browser encrypts a session key with the server's public
key and sends the encrypted data back
to the server.
The IIS Server decrypts the message sent by the client using its private
key, and the session is established.
Both the client and the server use the session key to encrypt and decrypt
transmitted data.
So, basically speaking, the SSL use the asymmetric encryption (public/private key pair) to deliver the shared session key, and finally achieved a communication way with symmetric encryption.
Is this right?
Add - 1 - 5:55 PM 12/17/2010
I am using IIS to host my websites. Suppose I have multiple sites on my single machine, and I want the client brower to use SSL URL to connect my sites. How many certificates do I need? Which of the following approach should I take?
1 - Apply for a single certicate and associate it to my single server machine which hosts mutiple sites.
2 - Apply for several certificates and associate each of my sites with its own certificate.
In IIS7, it seems I could only do approach 1.
Update - 1 - 6:09 PM 12/17/2010
I figure it out. I could install mutiple certificates on my server machine and bind each site with seperate certificate as necessary.
Yes, that's right. Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets used because it's faster.
You're wrong at points 4 and 5. The server and client independently compute the same session key. It is never actually transmitted at all.
.
The answer is both. You will find a nice explanation in 4 steps from digicert.com below:
.
Server sends a copy of its asymmetric public key.
Browser creates a symmetric session key and encrypts it with the server's asymmetric public key. Then sends it to the server.
Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because
only the browser and the server know the symmetric session key, and
the session key is only used for that session. If the browser was to
connect to the same server the next day, a new session key would be
created.
https://www.digicert.com/ssl-cryptography.htm
I would suggest that you post your update as a separate question.
In any case - you will require multiple certificate - one per site. Remember that these certificates tie your machine to your address. Since each of the websites is going to have a different address (potentially) , you need different certs for each of the sites
You can only have a single SSL cert per listening port on the server. This is because the very first thing that is sent is the server certificate (as in your timeline). This is before the HTTP request so if you try to host two domains on a single server (say foo.com and bar.com) there is no way for the server to know which certificate to send to the client.
There are a few different ways to solve this problem:
Host different domains on different servers
Host different domains on different ports (eg. foo.com is serverd from 443 and bar.com is served from 8443). If you put your host behind multiple load-balancers, you can have them service all the sites on 443.
If the different domains are all sub-domains of a single parent domain, you can get a wildcard certificate. (e.g. domains www.foo.com, bar.foo.com, and baz.foo.com can all use a certificate for *.foo.com)
Get a single certificate for one of the domains and have the other domains listed as AltNames. (e.g. both foo.com and bar.com can use a foo.com certificate with a bar.com AltName)
The case where the session key is independently computed by the client and server without the key ever being transmitted is Diffie-Hellman key exchange:
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
--- see the nice paint illustration
PKI will exchange the encrypted session key between the client and server.
The SSL client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server's public key(Asymmetric).
SSL uses both Asymmetric and symmetric keys.