Fortinet 295 FortiWeb 5.0 Patch 6 Administration Guide
•Asymmetric encryption — Public key encryption is a type of asymmetric encryption: it is
based upon two keys that are different — but exactly paired — mathematical complements.
Only the private key can decrypt data that was encrypted by its public key. The inverse is
also true: only the public key can decrypt data that was encrypted by its private key. This is
true, for example, in the RSA cryptographic algorithm.
Figure 40:RSA algorithm
SSL 3.0 or TLS 1.0 is required. During an SSL or TLS handshake, the client and server (in
this case, FortiWeb) negotiate which of their supported cryptographic algorithms to use, and
exchange certificate(s). After the server receives the client’s certificate with its public key, the
client will encrypt subsequent communications using its private key. As a result, if the server
can decrypt messages using the public key, it knows that they originate from the originally
connecting client who has the related private key, not an intercepting host (i.e. a
man-in-the-middle attack).
Encrypted transmissions can contain a message authentication checksum (MAC) to verify
that the message was not altered during transmission by an interceptor.
•Digital signatures — Public keys are also used as signatures. Similar to an encrypted
message, as long as the private key is possessed by only one individual, any signature
Depending on factors such as a misconfigured client, an SSL/TLS connection may in some
cases still be vulnerable to man-in-the-middle attacks. There are several steps that you can
take to harden security, including using greater bit strengths, updating and properly configuring
clients, revoking compromised certificates, and installing only trusted certificates. See also
“Hardening security” on page 608 and “Configuring FortiWeb to validate client certificates” on
page 316.