I apologize in advance if I am fundamentally misunderstanding something, but is

Question

I apologize in advance if I am fundamentally misunderstanding something, but is it possible to have encrypted communication protocols (https, I suppose) without resorting to a certificate system?

This questions comes regarding the EFF/Mozilla initiative to "encrypt everywhere!" I understand that certificates verify /identity/ but is it possible and/or reasonable to build a https protocal witbout using verified identities? The most obviosyu example is communicating with self-signed cert sites, but are there other situations where you might value the encryption of the communication more that the identity of who you are communicating woth?

Explanation / Answer

The data over https connection is encrypted using a private key, which is known to both sender and receiver. The sender encrypts the data using the private key and the receiver uses the same key to decrypt the data.

The same key is not reused again to prevent the replay attacks. Therefore, a unique key must be used in every session.

Now, the question is who generates the unique key and how do we share this unique key in every session. This is a problem, right? This unique private key is shared using a public-key infrastructure and certificate is integral part to it. Generally, the request is initiated by the client (in this case the browser). The certificate includes the information about server's public key which is used to encrypt a random private key generated by the client. This data can only be decrypted by the server's private key which is known only to the server. Once the private key is established between the client and server, they can start communicating securely, which is essentially the https.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.