SSL without certificates

Discussion in 'Computer Security' started by MS, Jul 3, 2003.

  1. MS

    MS Guest

    I want to use SSL for client to server communication. The server is W2K.

    I don't care about server authentication, I just want to encrypt the
    connection.

    Do I still have to create and install a dummy certificate for the
    server, or is there a way to bypass it?

    It appears the SSL/TLS standard does not require the server
    authentication step during the handshake, but how is it implemented on W2K?

    I browsed through the MS Knowledgebase but couldn't find the answer.

    MS
    MS, Jul 3, 2003
    #1
    1. Advertising

  2. > I don't care about server authentication, I just want to encrypt the
    > connection.


    You could use a shared secret.

    There's plenty of IPSec information available on TechNet, if documentation
    is what you're looking for.
    Keith W. McCammon, Jul 3, 2003
    #2
    1. Advertising

  3. MS

    ho alexandre Guest

    MS wrote:
    > I want to use SSL for client to server communication. The server is W2K.
    >
    > I don't care about server authentication, I just want to encrypt the
    > connection.


    I'll take theexample of an SSH connection.
    You always need an authentication of the server, but you only need a
    keypair, not a certificate.

    --
    Xandrex
    ho alexandre, Jul 3, 2003
    #3
  4. MS

    Splatter Guest

    "MS" <> wrote in message news:...
    > I want to use SSL for client to server communication. The server is W2K.
    > I don't care about server authentication, I just want to encrypt the
    > connection.
    > Do I still have to create and install a dummy certificate for the
    > server, or is there a way to bypass it?


    I'm not sure what your specific needs are but I got around this using 2K
    at home by installing the windows certificate authority, and using it to
    roll my own CA & website certificate.
    HTH
    DP
    Splatter, Jul 3, 2003
    #4
  5. MS

    ASMdood Guest

    On Thu, 03 Jul 2003 08:59:50 -0400, MS <> wrote:

    >I want to use SSL for client to server communication. The server is W2K.
    >
    >I don't care about server authentication, I just want to encrypt the
    >connection.
    >
    >Do I still have to create and install a dummy certificate for the
    >server, or is there a way to bypass it?
    >
    >It appears the SSL/TLS standard does not require the server
    >authentication step during the handshake, but how is it implemented on W2K?
    >
    >I browsed through the MS Knowledgebase but couldn't find the answer.
    >
    >MS


    Encryption without authentication is useless.
    ASMdood, Jul 3, 2003
    #5
  6. MS

    RobH Guest

    Sorry not familiar with it, but:

    Entering your question (Microsoft implementation of ssl in Windows
    2000) into the Search the Knowledge Base at the top of Microsoft's
    Online Support site, provides several results, and hopefully some
    might discuss that. I see the mention of white papers on
    implementation, but have not read any of them so far.

    Other possible helps might be the MSDN home website, and the
    Windows Platform SDK.

    Searches for "certificateless ssl" and "certificateless tls" at
    those sites, as well as on the Web, might also produce other
    results for you.

    Regards, RobH.



    "MS" <> wrote in message news:...
    Splatter wrote:

    As I stated in my original post, I cannot find the answers in
    Microsoft
    documentation. Anybody out there who is familiar with the
    Microsoft
    implementation of SSL in W2K and can answer my question?

    MS
    RobH, Jul 5, 2003
    #6
  7. MS

    Ms Guest

    You can generate "test" sertificate and do not think about "anonymous tls"
    http://www.stunnel.org/pem/

    or you can use http://www.stunnel.org/ vs. MS ISAPI SSL filter on 443

    but stunnel USEs sertificates too:
    http://www.stunnel.org/faq/stunnel.html#certificates


    "> Does the Microsoft W2K implementation of SSL=TLS allow bypassing the
    > handshake step that sends server's certificate to the client? In other
    > words, can I set up an SSL-encrypted connections to the W2K server
    > without installing a certificate on the server?
    >
    > The specification of the TLS standard does allow that: The handshake
    > protocol can be set up so that no certificates are used, and the client
    > and the server use an "anonymous" key exchange protocol to agree on an
    > encryption key. The question is, does Microsoft implementation allow it?
    > And if so, how do I configure the server to operate this way?
    >
    >
    Ms, Jul 7, 2003
    #7
  8. MS

    MS Guest

    Terry wrote:
    > Quote: wrote that the client needs the server's
    > cert
    > because the client uses the public key from the cert to encrypt the data
    > sent to the server. That is not correct. The data sent back and forth
    > along the SSL connection are encrypted using a symmetric (secret) key,
    > not a public key. The secret key is created during the SSL handshake.
    >
    > As far as I know, in a SSL connection, the server's cert sent to client is
    > used to encrypt the session key(secret symmetric key) generated on the
    > client side which is then sent to the server for use in the connection. So
    > if the you dont use a server's cert, how can this be done?
    >


    The TLS standard allows "anonymous" key exchange. That is, the symmetric
    key is generated without a priori authentication of the two parties. For
    example, the Diffie-Hellman protocol can be used for that --- in
    essence, each party creates a piece of the key, they exchange the two
    pieces, and put them together to form the common secret key. And it's
    done in such a way that an eavesdropper cannot recreate the key.

    MS
    MS, Jul 7, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris

    SSL Certificates

    Chris, Aug 4, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    778
    Chris
    Aug 4, 2003
  2. Lord Amoeba

    Self-issued certificates and commercial certificates.

    Lord Amoeba, Apr 30, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    889
    David W.E. Roberts
    May 5, 2004
  3. Dystopia

    SSL certificates

    Dystopia, Jun 25, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    414
    Dystopia
    Jun 25, 2004
  4. jenny

    Importance of SSL Certificates

    jenny, Nov 20, 2006, in forum: Software
    Replies:
    0
    Views:
    697
    jenny
    Nov 20, 2006
  5. jenny
    Replies:
    0
    Views:
    916
    jenny
    Nov 30, 2006
Loading...

Share This Page