RSA Security 5.2.2 manual Peer-to-Peer Applications

Applications of Cryptography

public key is communicated to the server and an entry is made in the table maintained by the server for the public keys.

As an alternative, the server can certify the public keys of the client nodes by generating a digital certificate to be signed by the server’s private key. In this case, the server only trusts messages from previously-certified keys. There is no table to maintain because the digital certificate can be used to verify the identity of a node each time a connection or request is needed.

There are two approaches to establishing a link between a client and the server.

In the first approach, the server and a client determine a session key using a Diffie- Hellman key agreement protocol. The Diffie-Hellman parameters are established once at the initial setup of the server, and communicated publicly to each client when a secure connection is requested. The session key is used for bulk-data encryption; the established client RSA key pair is used for authentication or for envelope communications. Any block or stream cipher can be used for encryption with the session key. For stream ciphers, a new key should be computed for each session; this prevents attacks that compare blocks of data encrypted with the same key.

In the second approach, the server uses the client’s RSA public key (contained in the digital certificate) to generate a digital envelope for the encrypted data sent from the server to the client. Likewise, the client uses the server’s public key (known to all nodes) to create a digital envelope. In addition, each message contains digital signatures to authenticate the originator.

Peer-to-Peer Applications

Unlike a client/server application, a peer-to-peer network application provides each node with access to any other node in the network. For example, users may wish to communicate privately with other known or unknown users through secure email. In a peer-to-peer situation, no single node is capable of authenticating other client nodes.

Digital signatures can be used to provide proof of authorship to any recipient. Each node must generate its public/private key pair and obtain a digital certificate from some approved central authority. VeriSign can provide details about how to obtain a digital certificate.

Each message between any two or more nodes can be authenticated by attaching the originator’s digital certificate to the message. The recipient can verify the authenticity of the message and the originator by verifying the validity of the certificate.

Nodes on peer-to-peer applications can encrypt using digital envelopes. To do so, the sender obtains the digital certificate of each recipient and extracts the public key.