[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Re: Use SSL or our own encryption modules ( Urgent Please ) ???
From:       Gururaj Bilur <GururajB () SYNECTICS ! SOFT ! NET>
Date:       2000-03-27 11:14:09
[Download RAW message or body]


Thanks for your reply,

What I understand from this is, SSL provides a Symmetric Key encryption with
TLS1.0

But if we are using PKI with pub/private keys we have to encrypt our data
explicitly before we give it to SSL/TLS.

Am I right ?

> -----Original Message-----
> From: Scott Renfro [SMTP:srenfro@securify.com]
> Sent: Friday, March 24, 2000 10:12 PM
> To:   'Gururaj Bilur'
> Subject:      RE: Use SSL or our own encryption modules ( Urgent Please )
> ???
>
> There are two general applications of encryption: transport
> and storage.
>
> SSL provides transport security; that is, it protects data
> in transit across a network connection. The data is in the
> clear at either end of the connection (browser and server),
> but encrypted between the two. This is useful to prevent
> eavesdropping by attackers between the browser and the
> server.
>
> Storage encryption provides long-term protection to data.
> An encrypted file can be stored on a file system, sent
> across a network, or published in a newspaper all the while
> maintaining the security.
>
> You'll have to decide which type of security. is suitable
> for your project and threat model. More than likely, it is
> transport security. This is provided by SSL when properly
> used. SSL can provide server authentication, client
> authentication, and data encryption. It can do so with
> strong encryption (e.g., 3DES) or with weak encryption
> (e.g., RC2-40bit).
>
> If your threat model requires that data be encrypted during
> storage before and after the transmission of the data then
> you'll have to write some custom code to do that
> encryption. Trusted applications can access the user's
> keystone via the CSP.
>
> It seems you're really in over your head. There are many
> issues you need to consider and understand clearly before
> you deploy something as sensitive as a banking application.
> The cryptographic primitives are not that complicated and
> the protocols are published -- many in RFCs: e.g., TLS 1.0
> which supercedes SSL 3.0 but is almost identical is found
> in RFC 2246 at http://www.ietf.org/rfc/rfc2246.txt
>
> Regards,
> Scott
>
>
> On Thu, Mar 23, 2000 at 2116 PST you wrote:
> >
> > I am planning to use a complete PKI solution for my
> > Internet Banking System. My IBS server runs on an NT4.0
> > with IIS 4.0 and I am using IE 5.0 browser to login to
> > the server for transactions. I program using DHTML/ASP.
> > Both server and client certificates are installed
> > properly at server and browser. I am using a local MS
> > Certificate Server as CA. Pub/Prviate Keys are generated
> > using GemSAFE4000 cards also the certificate is stored on
> > the card. I also use GemSAFE CSP v1.0. I want to use SSL
> > for secure communication.
> >
> > QUESTIONS:-
> > We know in PKI, the encryption process involves Creating
> > a Signature with Sender's Private Key, Encrypting the
> > Data using Session Key and then Creating a Session Key
> > Blob using Receiver's Public Key.
> >
> > 1) Does SSL itself do all the ecncryption process
> > explained above at the client and server. If so how does
> > browser/IIS/SSL find the keys and certificates on the
> > samrt card? Do we need to program anything extra at
> > client and server ?
> >
> > 2) If SSL does not do the above steps, can we write our
> > own Java Applet/DLL at the browser to do the ecnryption
> > before the data is actually submitted to the server ? In
> > this case how to get access to the local resources like a
> > DLL trying to find the keys and certificates on the smart
> > card ? Some people suggested me to use the Signed
> > Applets/ActiveX controls at the browser for the same. Is
> > it OK or any other methods available ?
> >
> > 3) Can't we bypass the SSL? If not then we will have
> > double encryption, Once by our alogrithms and the other
> > by the SSL. Does it really make sense.
> >
> > I already posted a similar mail on this newsgroup but got
> > few inputs.
> >
> > Can anybody please help me as I am in a critical stage of
> > the project.
> >
> > thanks,
> > Gururaj S Bilur
> > Project Leader - Technical Architecture
> > Logica Financial Products, India
> > Tel : +91 80 553 8281 Ext. 400
> > Fax: +91 80 553 5723
> > http://www.logica.com
> >
> > ----------------------------------------------------------------
> > Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
> > contains important info including how to unsubscribe.  Save
> > time, search
> > the archives at http://discuss.microsoft.com/archives/index.html
> >

----------------------------------------------------------------
Users Guide http://msdn.microsoft.com/workshop/essentials/mail.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://discuss.microsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]