[Cryptography] SSL combines two aspects of communication
Tony Arcieri
bascule at gmail.com
Tue Jan 13 21:13:45 EST 2015
On Tue, Jan 13, 2015 at 3:30 PM, Andreas Junius <andreas.junius at gmail.com>
wrote:
> So what I did was adding an additional level for encryption underneath SSL
> (all at application level for a start). My server has two certificates now;
> the SSL certificate for authentication and another one that serves as the
> servers own CA. The server uses this CA certificate to sign what I call an
> “encryption certificate”, that it delivers to the client. This “encryption
> certificate” gets generated by the application server on a regular basis.
> The interval can be set via parameter, depending on the security needs of
> the application, e.g. re-generate after 4 weeks or 2 weeks or even on every
> request/session.
It sounds like you are homebrewing your own version of this:
https://en.wikipedia.org/wiki/Forward_secrecy
TLS can automatically generate ephemeral keys for encryption, while only
using the long-lived key for signing the ephemeral keys. This decouples
authentication from encryption, and ensures that every session is protected
by a brand new set of public/private keys.
You will need to use e.g. an ECDHE ciphersuite for this to happen, however
it's been built into TLS for awhile now...
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150113/30f7964d/attachment.html>
More information about the cryptography
mailing list