You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ajay Garg <aj...@gmail.com> on 2012/03/25 19:26:34 UTC
[users@httpd] How does client decrypt data in a HTTPS-based WebDAV transfer
Hi all.
I have managed to get a HTTPS-based WebDAV server up and running.
However, I have a conceptual query (sorry if I sound an absolute idiot) ::
##############################################################################################################################
When we configure "ssl.conf" and/or "httpd.conf", that information is
available only to the HTTPS-based WebDAV server.
Now, HTTPS means that the data is transferred over the wire in encrypted
form. So, right, the server has the information necessary to encrypt the
data.
BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running both
webdav server and client on the same machine; so it might very well
be the case that some info from "ssl.conf" and/or "httpd.conf" is being
used at the client side. However, I am just guessing ...
##############################################################################################################################
Sorry, if this sounds too basic a query; but this would clear a lot of
things in my head.
Looking forward to a reply.
Thanks and Regards,
Ajay
Re: [users@httpd] How does client decrypt data in a HTTPS-based
WebDAV transfer
Posted by Ajay Garg <aj...@gmail.com>.
Thanks Tom..
Ahh.. that makes it even more efficient; since the symmetric key is the
only one required for encryption/decryption.
Moreover, this symmetric key is only known to the client and the server.
Thanks !!!!
Thanks and Regards,
Ajay
On Mon, Mar 26, 2012 at 2:52 PM, Tom Evans <te...@googlemail.com> wrote:
> On Mon, Mar 26, 2012 at 10:12 AM, Ajay Garg <aj...@gmail.com>
> wrote:
> > Thanks a ton Sander.
> >
> > So on session setup-phase, the server sends the public-key to the client
> > (which would hardly be a bother, even if it is intercepted by a
> > eavesdropper). This public key is then used to encrypt the data on the
> > client, send over the wire, and decrypted by the server's private key.
> >
> > That explains the client-to-server-transfer.
> >
> > However, just one last confirmation regarding the
> server-to-client-transfer.
> > Is another set of public-private (session) keys pair created? (This would
> > then explain the server-to-client transfer seamlessly, wherein the client
> > would send the (session) public key to the server; server would encrypt
> data
> > using this (session) public key; send the data over the wire; and the
> client
> > would then decrypt data using the (session) private key).
> >
> > Thanks Sander. You have really been a darling in all the help ;-)
> >
> > Thanks and Regards,
> > Ajay
> >
> >
>
> No, that is not how SSL works. A brief synopsis:
>
> http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
>
> More information can be found by searching the internet for "how does SSL
> work".
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] How does client decrypt data in a HTTPS-based
WebDAV transfer
Posted by Tom Evans <te...@googlemail.com>.
On Mon, Mar 26, 2012 at 10:12 AM, Ajay Garg <aj...@gmail.com> wrote:
> Thanks a ton Sander.
>
> So on session setup-phase, the server sends the public-key to the client
> (which would hardly be a bother, even if it is intercepted by a
> eavesdropper). This public key is then used to encrypt the data on the
> client, send over the wire, and decrypted by the server's private key.
>
> That explains the client-to-server-transfer.
>
> However, just one last confirmation regarding the server-to-client-transfer.
> Is another set of public-private (session) keys pair created? (This would
> then explain the server-to-client transfer seamlessly, wherein the client
> would send the (session) public key to the server; server would encrypt data
> using this (session) public key; send the data over the wire; and the client
> would then decrypt data using the (session) private key).
>
> Thanks Sander. You have really been a darling in all the help ;-)
>
> Thanks and Regards,
> Ajay
>
>
No, that is not how SSL works. A brief synopsis:
http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified
More information can be found by searching the internet for "how does SSL work".
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How does client decrypt data in a HTTPS-based
WebDAV transfer
Posted by Ajay Garg <aj...@gmail.com>.
Thanks a ton Sander.
So on session setup-phase, the server sends the public-key to the client
(which would hardly be a bother, even if it is intercepted by a
eavesdropper). This public key is then used to encrypt the data on the
client, send over the wire, and decrypted by the server's private key.
That explains the client-to-server-transfer.
However, just one last confirmation regarding the
server-to-client-transfer. Is another set of public-private (session) keys
pair created? (This would then explain the server-to-client transfer
seamlessly, wherein the client would send the (session) public key to the
server; server would encrypt data using this (session) public key; send the
data over the wire; and the client would then decrypt data using the
(session) private key).
Thanks Sander. You have really been a darling in all the help ;-)
Thanks and Regards,
Ajay
On Mon, Mar 26, 2012 at 11:03 AM, Sander Temme <sc...@apache.org> wrote:
> Ajay,
> On Mar 25, 2012, at 9:54 PM, Ajay Garg wrote:
>
> > Thanks Eric for the reply.
> >
> > Eric, but how is the shared secret comfigured?
> > I do not remember configuring anything like this for the HTTPS-based
> WebDAV server.
>
> As your DAV client and the server set up their SSL connection, they
> exchange information that is used by either side to derive a set of session
> encryption keys. This starts with a piece of random data generated by the
> client, wrapped in the public key from the server's certificate, and sent
> to the server. Since only the server has the corresponding private key, no
> eavesdropper can intercept this piece of data, and no one but the server
> and client have the proper input material to derive those session keys.
>
> Once the session keys are created, they are used by either side to sign,
> encrypt, decrypt and verify the SSL records sent across the connection.
>
> So the only thing that is pre-arranged is the key/certificate on the
> server, and the fact that the client trusts the server certificate (through
> the CA certificate in the client's key store or CA bundle).
>
> Hope this helps,
>
> S.
>
> > Thanks and Regards,
> > Ajay
> >
> > On Sun, Mar 25, 2012 at 11:39 PM, Eric Covener <co...@gmail.com>
> wrote:
> > > BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running
> both
> > > webdav server and client on the same machine; so it might very well
> > > be the case that some info from "ssl.conf" and/or "httpd.conf" is
> being used
> > > at the client side. However, I am just guessing ...
> >
> > Under SSL, the client and server negotiate a shared secret used to
> > encrypt/decrypt the data.
> >
> > They can set this up securely because the client starts this process
> > with info encrypted with the servers public key.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> --
> sctemme@apache.org http://www.temme.net/sander/
> PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A
>
> View my availability: http://tungle.me/sctemme
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] How does client decrypt data in a HTTPS-based WebDAV transfer
Posted by Sander Temme <sc...@apache.org>.
Ajay,
On Mar 25, 2012, at 9:54 PM, Ajay Garg wrote:
> Thanks Eric for the reply.
>
> Eric, but how is the shared secret comfigured?
> I do not remember configuring anything like this for the HTTPS-based WebDAV server.
As your DAV client and the server set up their SSL connection, they exchange information that is used by either side to derive a set of session encryption keys. This starts with a piece of random data generated by the client, wrapped in the public key from the server's certificate, and sent to the server. Since only the server has the corresponding private key, no eavesdropper can intercept this piece of data, and no one but the server and client have the proper input material to derive those session keys.
Once the session keys are created, they are used by either side to sign, encrypt, decrypt and verify the SSL records sent across the connection.
So the only thing that is pre-arranged is the key/certificate on the server, and the fact that the client trusts the server certificate (through the CA certificate in the client's key store or CA bundle).
Hope this helps,
S.
> Thanks and Regards,
> Ajay
>
> On Sun, Mar 25, 2012 at 11:39 PM, Eric Covener <co...@gmail.com> wrote:
> > BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running both
> > webdav server and client on the same machine; so it might very well
> > be the case that some info from "ssl.conf" and/or "httpd.conf" is being used
> > at the client side. However, I am just guessing ...
>
> Under SSL, the client and server negotiate a shared secret used to
> encrypt/decrypt the data.
>
> They can set this up securely because the client starts this process
> with info encrypted with the servers public key.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
sctemme@apache.org http://www.temme.net/sander/
PGP FP: FC5A 6FC6 2E25 2DFD 8007 EE23 9BB8 63B0 F51B B88A
View my availability: http://tungle.me/sctemme
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How does client decrypt data in a HTTPS-based
WebDAV transfer
Posted by Ajay Garg <aj...@gmail.com>.
Just to be more elaborate, all that has been configured (for security
purposes) is ::
###################################################################
SSLCertificateFile = /etc/ssl/certs/ssl.crt
SSLCertificateKeyFile /etc/ssl/certs/ssl.key
###################################################################
in "ssl.conf", and (i think) this is available only to the server. So, the
data can be encrypted, but I am still clueless as to how is it decrypted at
the client side.
Regards,
Ajay
On Mon, Mar 26, 2012 at 10:24 AM, Ajay Garg <aj...@gmail.com> wrote:
> Thanks Eric for the reply.
>
> Eric, but how is the shared secret comfigured?
> I do not remember configuring anything like this for the HTTPS-based
> WebDAV server.
>
> Thanks and Regards,
> Ajay
>
>
> On Sun, Mar 25, 2012 at 11:39 PM, Eric Covener <co...@gmail.com> wrote:
>
>> > BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running
>> both
>> > webdav server and client on the same machine; so it might very well
>> > be the case that some info from "ssl.conf" and/or "httpd.conf" is being
>> used
>> > at the client side. However, I am just guessing ...
>>
>> Under SSL, the client and server negotiate a shared secret used to
>> encrypt/decrypt the data.
>>
>> They can set this up securely because the client starts this process
>> with info encrypted with the servers public key.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] How does client decrypt data in a HTTPS-based
WebDAV transfer
Posted by Ajay Garg <aj...@gmail.com>.
Thanks Eric for the reply.
Eric, but how is the shared secret comfigured?
I do not remember configuring anything like this for the HTTPS-based WebDAV
server.
Thanks and Regards,
Ajay
On Sun, Mar 25, 2012 at 11:39 PM, Eric Covener <co...@gmail.com> wrote:
> > BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running
> both
> > webdav server and client on the same machine; so it might very well
> > be the case that some info from "ssl.conf" and/or "httpd.conf" is being
> used
> > at the client side. However, I am just guessing ...
>
> Under SSL, the client and server negotiate a shared secret used to
> encrypt/decrypt the data.
>
> They can set this up securely because the client starts this process
> with info encrypted with the servers public key.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] How does client decrypt data in a HTTPS-based
WebDAV transfer
Posted by Eric Covener <co...@gmail.com>.
> BUT, HOW IS THE CLIENT ABLE TO DECRYPT THE DATA? (I have been running both
> webdav server and client on the same machine; so it might very well
> be the case that some info from "ssl.conf" and/or "httpd.conf" is being used
> at the client side. However, I am just guessing ...
Under SSL, the client and server negotiate a shared secret used to
encrypt/decrypt the data.
They can set this up securely because the client starts this process
with info encrypted with the servers public key.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org