Date: Tue, 10 Mar 1998 15:36:13 -0800
From: Frank Maritato <frank@uccs.jpl.nasa.gov>
To: java-security@web1.javasoft.com
Subject: how is this working...
Hello--
I am using SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 as my enabled cipher
suite. I realize this is turning off authentication and that I am
vulnerable to the "man in the middle" attack. My question is, how are
the SSLSocket and the SSLServerSocket get a key to encrypt the channel?
Usually what happens here is that one uses the public key to encrypt and
the other uses the private key to decrypt. Since this is not being done
(?), how is the session key known to both parties?
Thanks!
-- ************************************************************** Frank Maritato, Jr. Jet Propulsion Laboratory frank@uccs.jpl.nasa.gov 4800 Oak Grove Drive Office: (818) 306-6109 mail stop 525-3632 FAX: (818) 306-6818 Pasadena, CA 91109-8099