• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Security with Streams
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security with Streams


  • Subject: Re: Security with Streams
  • From: "Gerriet M. Denkmann" <email@hidden>
  • Date: Mon, 27 Jun 2016 13:30:03 +0700

> On 27 Jun 2016, at 12:57, Jens Alfke <email@hidden> wrote:
>
>> On Jun 26, 2016, at 8:13 PM, Gerriet M. Denkmann <email@hidden> wrote:
>>
>> Assume that an evil entity has got hold of “MyServerCertificate.cer”, but has no access to my keychain and thus to the private key of MyServerCertificate.
>> Could they use this certificate to open a secure stream to a client? Or do they need the private key to sign?
>
> — Servers don’t open connections to clients; it’s the other way around.

Sorry, I was speaking rather too loosely.

I meant: when the server accepts a connection from a client via
	netService:didAcceptConnectionWithInputStream:outputStream:
it does:
[ inputStream setProperty: settings  forKey: kCFStreamPropertySSLSettings ]

where settings has: kCFStreamSSLCertificates = array with a SecIdentityRef obtained via SecItemCopyMatching().

Could it, instead of getting the SecIdentityRef from the keychain, just use MyServerCertificate.cer instead?


> — A certificate contains only the public key, not the private key. It can’t be used to sign anything, only to verify signatures.

So this probably answers my question: It could not. (Correct ?).

So the evil server has to use its own EvilServerCertificate from its own keychain.
And then the client would compare the certificate it receives with MyServerCertificate.cer and notice that these are different, thus closing the connection. (Correct ?)


Kind regards,

Gerriet.


_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


  • Follow-Ups:
    • Re: Security with Streams
      • From: Jens Alfke <email@hidden>
References: 
 >Security with Streams (From: "Gerriet M. Denkmann" <email@hidden>)
 >Re: Security with Streams (From: Jens Alfke <email@hidden>)
 >Re: Security with Streams (From: "Gerriet M. Denkmann" <email@hidden>)
 >Re: Security with Streams (From: Keary Suska <email@hidden>)
 >Re: Security with Streams (From: "Gerriet M. Denkmann" <email@hidden>)
 >Re: Security with Streams (From: Jens Alfke <email@hidden>)

  • Prev by Date: Re: Security with Streams
  • Next by Date: WWDC 2016 direct download
  • Previous by thread: Re: Security with Streams
  • Next by thread: Re: Security with Streams
  • Index(es):
    • Date
    • Thread