Hello ,
I am a Masters student and currently working on a project related to
security. I have certain queries regarding ssl security. It would be of
great use to me if some of my queries get clarified. The following is listed
as:
1. How do I prove that ECC 256 bit key is equivalently strong to RSA 2048
bit key?
2. What all types of threats could be used for testing the above question?
3.The paper has listed Openssl library can be used for enabling ssl
security , certificate generation and management. I have created an ECC
certificate that works fine but such a certificate shows "Invalid digital
signature "message on the certificate. The elliptic curve used for
certificate generation is one amongst the named curves supported by Openssl
and recommended by NIST-suite B. How can that be resolved?
4.The Openssl library has certificate verification method that checks the
certificate validity w.r.t validity period, certificate chain depth, etc,
then why is a Certificate Revocation List or an OCSP needed, in a sense if
the verification is already done, then why should invalid certificates be
revoked and verification be done on the basis of CRL?
5. Is there any other approach for client authentication in SSL other than
certificates approach?
6. Is ssl security suitable enough for securing connections to server in
control and monitoring systems? How can client authentication be done for
such systems using SSL protocol?
7.If CRLs are to be used, then how will the CA know about the private key
being compromised so that it can revoke the certificate considering it being
forged?
Thanks and regards,
Suman Patro
--
View this message in context: http://openssl.6102.n7.nabble.com/regarding-SSL-security-tp63504.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
