I have a question in MTA (Microsoft Technology Associate) Mobility and I want the answer to it please
The Question :
a client/server application is designed to use public/private key cryptography for secure communication between client and server , The certificate is installed on the server
when the client send message to the server which key does it use to encrypt the message ?
A)The client's private key
B)The client's public key
C)The server's private key
D)The server's public key
D. The Client uses the server's public key to encrypt the message it wants to send to the Server. The Server can then use its private key to decrypt the message that it was sent, because it was encrypted using that server's public key.
More info about Public Cryptography here.
Related
I have a requirement in my project where I have to secure the communication between my client application (running on BizTalk Server Send port configured with Office 365 Email adaptor) and Microsoft Office 365 Server. This communication is to be secured by TLS 1.2 and a certificate is provided by MS O365 server during Server hello (handshake process) to later securely exchange the symmetric key generated at client side.
Do I need to install another certificate at client side for either generating this symmetric key or for any other purpose to achieve a better secured communication between the client and server?
No, you don't require another certificates client side (BizTalk) to establish a TLS 1.2 connection.
The BizTalk Server needs to trust the certificate however, but as this is one issues by Microsoft, it should be trusted.
I have an ambiguity about HTTPS communication and my question had may be asked but I didn't find and clear response:
In HTTPS communication, the server is sharing it's public key with "everyone"
If this key is shared with public, than doesn't anyone can decrypt the communication from the server?
No. You use the public key to encrypt the data and it's not possible to decrypt it by using the same public key.
The only way to decrypt the data is by using the correspondent private key.
This wiki article explains the core.
I have a sysem where I want to minimise outbound network communication to the internet. However, I need to ensure communication between local network clients and the local server is secure. I can't use HTTPS as an IP address is used. Also the locations where the servers are installed, the users will be non-technical, so no DNS configuration etc.. etc..
I'm hoping the following will be secure and only requires access to the internet on server/client initialization.
Is this open to attackers? (assuming the local server is secured and private key can not be extracted)
Server initializes, generates Pub/Private key pair. User signs
into account with remote server which issues access token (JWT) for remote server (HTTPS). User creates local server account (Username/Password)
Local server uploads public key to remote server (HTTPS) using remote server access token.
Client initializes and discovers server
Server responds with server id
Client hits remote server with the server id (HTTPS) and gets the public key and stores it.
Client generates Pub/Private key.
Signs into local server account sending username/password/public-key envcypted with local server public key
Local Server issues access token (JWT) and stores
client public key with that token. Any response to this access token is encrypted (body/headers) with client public key.
Client now communicates to local server with accesstoken and encryped headers/body with Local server public key.
Server responds to requests with body/headers encrypted with access token public key
I got the connection details of a SFTP server, connected to it with FileZilla, and then successfully downloaded a file from that SFTP.
The only details I had was host, port, user and pass.
Now I'm trying to connect to this same server trough WinSCP .NET assembly (C#)
using(Session session = new WinSCP.Session()) {
session.Open(new SessionOptions() {
Protocol = Protocol.,
HostName = "ftp.*********.be",
UserName ="*****",
Password ="*****"
});
TransferOptions transferOptions = new TransferOptions();
transferOptions.TransferMode = WinSCP.TransferMode.Binary;
TransferOperationResult transferResult;
transferResult = session.GetFiles("/downld/fileonserver.dbf",#"c:\testfolder\localfilename.dbf", false, transferOptions);
Whatever I try here it keeps asking for a key for SSH, but I don't have that key, I generated a 128 bit RSA key somewhere online and put it in the session options like:
SshHostKeyFingerprint = "ssh-rsa 1024 82:09:12:b4:93:92:3a:61:10:90:61:12:b4:XX:XX:XX"
But this just tells me that key is invalid.
I kind of figured out that I maybe need the public/private SSH key from the server to get this to work but I sadly don't have access to this server.
Since FileZilla can connect to it without me entering any KEYS, why can't my C# program do the same?
I'm not an expert when it comes to security related stuff, so please point me in the right direction. I found this thread but I don't have access to .ssh folder on the FTP server and I don't really get where they are going with this.
You are confusing the SSH server public host key verification with the client public key authentication. These are two completely different things. This first involves the public key of the server, while the latter involves your account public key.
Read about SSH Key Pairs to learn the difference.
FileZilla cannot connect without verifying the server's public host key either. On the first connection it always prompts you to accept the key. Once you do, it optionally caches the key and won't prompt you again, unless the key changes.
You have probably forgotten that you got this prompt before or someone else connected to the server before from your machine.
Any SSH (SFTP) client must do the same. You are losing any security had you not verified your server's host key.
You should get the host key fingerprint from your server administrator.
If you had not, you can see it on WinSCP Server and Protocol information dialog.
For details see WinSCP FAQ Where do I get SSH host key fingerprint to authorize the server?
I solved this by just copying the SSH key returned to my FileZilla client into my C# app. I don't know if this is the right thing to do, but at least it got my solution working now.
It was also an SSH-DSS key 2048 key instead of an SSH-RSA 1024, and that's why messing around with the keys kept failing I guess.
This question already has answers here:
How does browser generate symmetric key during SSL handshake
(2 answers)
Closed 2 years ago.
First, some quotation from Microsoft TechNet's Managing Microsoft Certificate Services and SSL:
To recap, secure SSL sessions are established using the following technique:
The user's Web browser contacts the server using a secure URL.
The IIS server sends the browser its public key and server certificate.
The client and server negotiate the level of encryption to use for the
secure communications.
The client browser encrypts a session key with the server's public
key and sends the encrypted data back
to the server.
The IIS Server decrypts the message sent by the client using its private
key, and the session is established.
Both the client and the server use the session key to encrypt and decrypt
transmitted data.
So, basically speaking, the SSL use the asymmetric encryption (public/private key pair) to deliver the shared session key, and finally achieved a communication way with symmetric encryption.
Is this right?
Add - 1 - 5:55 PM 12/17/2010
I am using IIS to host my websites. Suppose I have multiple sites on my single machine, and I want the client brower to use SSL URL to connect my sites. How many certificates do I need? Which of the following approach should I take?
1 - Apply for a single certicate and associate it to my single server machine which hosts mutiple sites.
2 - Apply for several certificates and associate each of my sites with its own certificate.
In IIS7, it seems I could only do approach 1.
Update - 1 - 6:09 PM 12/17/2010
I figure it out. I could install mutiple certificates on my server machine and bind each site with seperate certificate as necessary.
Yes, that's right. Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets used because it's faster.
You're wrong at points 4 and 5. The server and client independently compute the same session key. It is never actually transmitted at all.
.
The answer is both. You will find a nice explanation in 4 steps from digicert.com below:
.
Server sends a copy of its asymmetric public key.
Browser creates a symmetric session key and encrypts it with the server's asymmetric public key. Then sends it to the server.
Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because
only the browser and the server know the symmetric session key, and
the session key is only used for that session. If the browser was to
connect to the same server the next day, a new session key would be
created.
https://www.digicert.com/ssl-cryptography.htm
I would suggest that you post your update as a separate question.
In any case - you will require multiple certificate - one per site. Remember that these certificates tie your machine to your address. Since each of the websites is going to have a different address (potentially) , you need different certs for each of the sites
You can only have a single SSL cert per listening port on the server. This is because the very first thing that is sent is the server certificate (as in your timeline). This is before the HTTP request so if you try to host two domains on a single server (say foo.com and bar.com) there is no way for the server to know which certificate to send to the client.
There are a few different ways to solve this problem:
Host different domains on different servers
Host different domains on different ports (eg. foo.com is serverd from 443 and bar.com is served from 8443). If you put your host behind multiple load-balancers, you can have them service all the sites on 443.
If the different domains are all sub-domains of a single parent domain, you can get a wildcard certificate. (e.g. domains www.foo.com, bar.foo.com, and baz.foo.com can all use a certificate for *.foo.com)
Get a single certificate for one of the domains and have the other domains listed as AltNames. (e.g. both foo.com and bar.com can use a foo.com certificate with a bar.com AltName)
The case where the session key is independently computed by the client and server without the key ever being transmitted is Diffie-Hellman key exchange:
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
--- see the nice paint illustration
PKI will exchange the encrypted session key between the client and server.
The SSL client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server's public key(Asymmetric).
SSL uses both Asymmetric and symmetric keys.