Page 1 of 1

public & private key security

Posted: Wed Jul 02, 2003 7:09 am
by m@ndio
is it secure to have your public key and private key on the same ssl server inside a php script?

Posted: Wed Jul 02, 2003 7:20 am
by Stoker
depends on environment.. but, doing so makes no sense as it removes the whole point of using assymetric (public/private key) encryption..

Posted: Wed Jul 02, 2003 7:25 am
by m@ndio
what about if you had your shop on one server (the encryption of card details bit) and your control panel where the user logs in to view the order on a different server (the decryption bit)??

Posted: Wed Jul 02, 2003 7:32 am
by Stoker
that would be pretty good if the control panel server is not a shared-hosting type machine and is pretty well hardened and patched/updated often..

Posted: Wed Jul 02, 2003 7:34 am
by m@ndio
sorry to keep buggin about this but I just want to be able to implement the best solution without the use of pgp, gnupg and open ssl.. I only have mcrypt and SSL

Posted: Wed Jul 02, 2003 8:49 am
by Stoker
"SSL" as in the webservers secure http transfers is only for securing the connection between a client/browser and the server. It is very likely that the SSL implementation you use is mod_ssl and that it is using the OpenSSL libs. That part has nothing to do with storing sensitive info for later retrieval. But, OpenSSL is very likely installed on your system, and there are not many GNU/Linux or BSD/UNIX machines out there where GnuPG is not installed.

I am unaware of if mcrypt supports any asymetric methods, if it does not, and as you mentioned in the other thread, your application may be used in shared environment, my opionion is that you have no choice. The easiest way is to use GnuPG, but OpenSSL's S/Mime stuff may work as well.

If GnuPG is not installed, it is very easy to download and install on your own account in your own homedir, it does not take up much space, and it is fairly easy to install on Bill Gates compromised machines as well..

Posted: Wed Jul 02, 2003 8:53 am
by nielsene
Stoker wrote:depends on environment.. but, doing so makes no sense as it removes the whole point of using assymetric (public/private key) encryption..
Hehe, I'm offline for a while and I miss this :)

It doesn't remove the point of doing asymmetric encryption. It depends for what goal you are using PKE. If you're using the private key for digitally signing stuff, with the public key accessible for validation, then hat sounds fine. If you're using it for encryption with the public key, then
yes Stoker is correct and you might as well use symmetric (of course using either with the secret on the server requires a secure server.)

Posted: Wed Jul 02, 2003 8:58 am
by nielsene
And yes openSSL is the only PKE library I know of for PHP. If your server is using either mod_ssl or apache-ssl to provide the secure web server, the openSSL libraries are already built and installed on your server, it should be trivial to recompile PHP for their use.

As Stoker said, using SSL at the webserver level has nothing to do with using PKE from within PHP.

The way SSL works for the webserver (overview):
Client sends a request for an SSL connection.
Server sends back a certificate that contains its Public Key and proof that it owns that Public Key, as well as a list of ciphers it likes.
Client picks a cipher and calculates a symmetric secret key for that sipher.
Client then ecrypts its cipher choice, and key choice with the server's public key and sends it back to the server.
Server decrypts the cipher choice and key and proceeds to do all communication with that client using that cipher and the chosen shared secret key.

(SSH does practically the exact same thing.) Notice that the PKE is only used until a shared symmetric key can be argreed upon.