public & private key security
Moderator: General Moderators
public & private key security
is it secure to have your public key and private key on the same ssl server inside a php script?
"SSL" as in the webservers secure http transfers is only for securing the connection between a client/browser and the server. It is very likely that the SSL implementation you use is mod_ssl and that it is using the OpenSSL libs. That part has nothing to do with storing sensitive info for later retrieval. But, OpenSSL is very likely installed on your system, and there are not many GNU/Linux or BSD/UNIX machines out there where GnuPG is not installed.
I am unaware of if mcrypt supports any asymetric methods, if it does not, and as you mentioned in the other thread, your application may be used in shared environment, my opionion is that you have no choice. The easiest way is to use GnuPG, but OpenSSL's S/Mime stuff may work as well.
If GnuPG is not installed, it is very easy to download and install on your own account in your own homedir, it does not take up much space, and it is fairly easy to install on Bill Gates compromised machines as well..
I am unaware of if mcrypt supports any asymetric methods, if it does not, and as you mentioned in the other thread, your application may be used in shared environment, my opionion is that you have no choice. The easiest way is to use GnuPG, but OpenSSL's S/Mime stuff may work as well.
If GnuPG is not installed, it is very easy to download and install on your own account in your own homedir, it does not take up much space, and it is fairly easy to install on Bill Gates compromised machines as well..
Hehe, I'm offline for a while and I miss thisStoker wrote:depends on environment.. but, doing so makes no sense as it removes the whole point of using assymetric (public/private key) encryption..
It doesn't remove the point of doing asymmetric encryption. It depends for what goal you are using PKE. If you're using the private key for digitally signing stuff, with the public key accessible for validation, then hat sounds fine. If you're using it for encryption with the public key, then
yes Stoker is correct and you might as well use symmetric (of course using either with the secret on the server requires a secure server.)
And yes openSSL is the only PKE library I know of for PHP. If your server is using either mod_ssl or apache-ssl to provide the secure web server, the openSSL libraries are already built and installed on your server, it should be trivial to recompile PHP for their use.
As Stoker said, using SSL at the webserver level has nothing to do with using PKE from within PHP.
The way SSL works for the webserver (overview):
Client sends a request for an SSL connection.
Server sends back a certificate that contains its Public Key and proof that it owns that Public Key, as well as a list of ciphers it likes.
Client picks a cipher and calculates a symmetric secret key for that sipher.
Client then ecrypts its cipher choice, and key choice with the server's public key and sends it back to the server.
Server decrypts the cipher choice and key and proceeds to do all communication with that client using that cipher and the chosen shared secret key.
(SSH does practically the exact same thing.) Notice that the PKE is only used until a shared symmetric key can be argreed upon.
As Stoker said, using SSL at the webserver level has nothing to do with using PKE from within PHP.
The way SSL works for the webserver (overview):
Client sends a request for an SSL connection.
Server sends back a certificate that contains its Public Key and proof that it owns that Public Key, as well as a list of ciphers it likes.
Client picks a cipher and calculates a symmetric secret key for that sipher.
Client then ecrypts its cipher choice, and key choice with the server's public key and sends it back to the server.
Server decrypts the cipher choice and key and proceeds to do all communication with that client using that cipher and the chosen shared secret key.
(SSH does practically the exact same thing.) Notice that the PKE is only used until a shared symmetric key can be argreed upon.