tags:

views:

536

answers:

3
+2  Q: 

SSL Certificate encryption vs cypher encryption

I just installed a SSL certificate. This certificate is encrypted with 2048 bit encryption.

However, the cypher is 128 bit encryption(or 40, or some other variation depending on the browser.)

It seems that there are two different types of encryption here. The "handshake" encryption of 2048 and the "over the wire" encryption of some magnitude smaller.

Do I have this right in theory? Can anyone explain it better?

I have been all over the Google and cannot find a clear explanation of the difference between the two.

Thanks in advance

+6  A: 

It is true that symmetric encryption typically uses much fewer bits for its key length. The reason is because symmetric encryption is much stronger at a given number of bits.

Asymmetric encryption (where each side has a different key) is much harder to pull off. It is more computationally intensive and therefore only used for the handshake portion or for encrypting a symmetric key that the rest of the message uses.

Neall  2008-10-10 17:07:01
+5  A: 

There is a good entry in Wikipedia.

You are right, there are two kinds of encryption going on. The first one is asymmetric encryption or public key encryption - this is the one with the larger key. The second type is symmetric encryption with the smaller key.

The first type of encryption (asymmetric - larger key) is used to negotiate what type of symmetric encryption the client and the server will use. They'll also exchange the session key that they'll use. This is the handshake process and this is encrpyted using the asymmetric encryption

The session key is basically the key that they'll use when sending the real data, encrypted by whatever type they've decided on the handshake process. This is the symmetric encryption part.

jop  2008-10-10 17:15:36
A: 

Thank you both for the replies. I can see how this works now.

The thing I am missing is what type of attack could be launched against the certificate itself.

If the server generates a session key that is then encrypted symmetrically, compromising the server certificate will not compromise they data because you still will not have the session key?

cjburkha  2008-10-10 18:06:35
The most common attack is the Man in the Middle attack. A third party intercepts all communications and uses a fake/forged/compromised certificate to fool both sides into thinking they have a direct connection.
James Schek  2008-10-11 00:10:11

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords