Re: how is this working...

Jeff Nisewanger (Jeff.Nisewanger@Eng)
Tue, 10 Mar 1998 15:44:03 -0800

Date: Tue, 10 Mar 1998 15:44:03 -0800
From: Jeff.Nisewanger@Eng (Jeff Nisewanger)
Message-Id: <199803102344.PAA11469@puuoo.eng.sun.com>
To: java-security@web1.javasoft.com, frank@uccs.jpl.nasa.gov
Subject: Re: how is this working...

> I am using SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 as my enabled cipher
> suite. I realize this is turning off authentication and that I am
> vulnerable to the "man in the middle" attack. My question is, how are
> the SSLSocket and the SSLServerSocket get a key to encrypt the channel?
> Usually what happens here is that one uses the public key to encrypt and
> the other uses the private key to decrypt. Since this is not being done
> (?), how is the session key known to both parties?

Using the above SSL cipher suite, the exchange of keys for
encrypting the channel is done using the DH or Diffie-Hellman
key exchange algorithm. This has been around for awhile and is a commonly
used way for 2 parties to anonymously create a shared secret from which
they can derive shared symetric encryption keys such the RC4 40-bit
keys implied by the above cipher suite. You can usually find details of the
algorithm in any book on security or encryption.

Jeff