tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nikola Milutinovic" <>
Subject Re: Security problem?
Date Fri, 07 Jun 2002 09:30:43 GMT
> > So, what is suggested is that the "shopping cart" server creates the final
> > payment report and signs it with it's private key/certificate. The "financial
> > transaction" server would verify that *that* is an authentic request from the
> > "shopping cart" server.
> Ok, it was signing.  This still doesn't mean that it's "encrypted" right?
> Just that there's a high-tech version of a "checksum" in a sense?  I guess
> maybe I don't understand signing.  I thought that signed files were
> unencrypted, and that the process of "signing" generates a sort of MD5-style
> one-way hash and this is verified against the x.509.  Is this wrong?

Just as Barney Hamish pointed out, with RSA (and I think DSA) keys, you can encrypt/decript
both ways. It is just that these two modes of operation have been established as common. And
yes, a signed object is not encrypted. What would we encript it with? Our private key? the
anyone can decrypt it with our public key, so what's the point?

There is a third mode of operation, which is a combination of the two. Say we both have digital
certificates and we exchange public parts. Then I can digitally sign a message from me to
you, using my private key and encrypt it all with your public key. That message is decryptabel
only by you and using my public key, you can verify that the mesage came from me. They used
to call it "digital handshake". I believe it is a part of SSL/TLS handshake.

> Yeah -- the redirect thing sounds like a very bad idea.


View raw message