One way SSL is one way encryption?

16.1k views Asked by At

If one way SSL is used (Server Certificate authentication) then data sent from client gets encrypted using Public key of the server certificate. So privacy protection is available for data sent from client. My questions are

  1. Does this mean that in One way SSL data sent from Server to client is not encrypted and sent as plain text ?

  2. For both server to client and client to server communications the data/message is not signed and so tamper protection or data integrity is not assured. Are there any other means to achieve data integrity while using SSL based transport security and not Message security options ?

2

There are 2 answers

2
David Schwartz On BEST ANSWER

One way SSL just means that the server does not validate the identity of the client. It has no effect on any of the other security properties of SSL.

While the SSL protocol is a bit complex, the basic gist of what happens is this: The client generates a random key, encrypts it so that only the server can decrypt it, and sends it to the server. The server and client now have a shared secret that can be used to encrypt and validate the communications in both directions.

The server has no idea of the client's identity, but otherwise, the encryption and message validation is two way.

Update:

1) Yes, encryption both ways is symmetric and uses a shared secret generated during session setup.

2) With a shared secret, message integrity is trivial to assure. You just ensure the message has a particular form. For example, I can prefix every message I send with a sequence number and append a checksum onto it before encryption. You decrypt it with the shared secret and validate the sequence number and checksum. How can an attacker substitute or modify the message without knowing the shared secret and still keep the sequence number and checksum intact?

0
Techie On

In SSL, two things happen:

First, a session key is negotiated using something like the Diffie-Hellman method. That generates a shared session key but never transmits the key between parties.

Second, that session key is used in a normal symmetric encryption for the duration of the connection.

SSL does use public/private in one way, because an X509 certificate is used to identify at least one end of the connection. Those certs are signed using an asymmetric key pair.

Extracted from How can SSL secure a two-way communication with only one key-pair?