Two Dumb Questions
des at des.no
Mon Sep 26 20:48:16 UTC 2016
RW <rwmaillists at googlemail.com> writes:
> There's a simple paint analogy here:
> that illustrates how it's possible to exchange a shared secret without
> an eavesdropper knowing what it is. The shared secret can then be used
> for symmetric encryption using something like AES.
SSL / TLS didn't commonly use DH, much less *safe* DH, until fairly
recently, and DH alone is not very useful. You need either a shared
secret or trusted key pairs to authenticate either or both endpoints.
> Actual protocols use public key cryptography so it can be established
> that the exchange is end to end, and not broken into two separate
Assuming you can trust the public key, which is what CAs are for, but
CAs can be hacked, deceived or coerced.
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security