Self-signed Certificate Security ( Self-signed Certificate)

Asked

Viewed 406 times

4

I am making a Java Client-Server system that will manage computers in a room, the scenario is as follows:

  • A computer, the server, waits for connections, when an action is made ( Block Screen ) this command is then sent to all connected clients.
  • The clients, are the ones that are controlled, have the server IP, and they connect to the server with that IP, once connected, wait for commands.

By the nature of the program, it should be as safe as possible so that only authorized persons can use it.

SSL was then used for communication.

  • Using openssl I created a self-signed certificate, converted to pks12, keytool to make the two keystores( or better, the Keystore for the server, and the truststore, with one certificate only, for the clients).
  • The server has the Keystore with the certificate and private key, encrypted using AES/CBC/PKCS5 and the 256-bit key derived using PBKDF2 with 1,000,000 iterations (it takes 2 seconds to decrypt). and the password is according to this site: https://apps.cygnius.net/passtest/ ( 65 bits of entropy )

  • Customers, truststore with the certificate only.

  • When connecting the server, the password must be entered to open the Keystore and be able to accept client connections.

My question is: If the customer relies only on a certificate, which was received at the installation, would the problem of self-signed certificate authentication theoretically be solved, being as secure as the common SSL, based on the trusted chain of CA’s? The fact that the certificate is Auto Signed ruins the encryption in some way, such as allowing the private key to be obtained from the public self-signed, or something like?

Obs: Customer truststore has only the certificate, and DOES NOT have the private key.

Obs²: assuming the private key is kept secret, that is, no one steals the Keystore from the server and discovers the password of the server.

1 answer

0


The verification done through the chain of Cas is to ensure that that certificate is reliable or is the authentication of the same. In a public environment, to ensure this, a trusted certification body is required to sign your certificate. In this case, as your system only trusts a certificate, it is no problem to be self-signed. You already know and trust this certificate.

The fact that it is self-signed does not influence cryptography, it will be guaranteed equally as a signed certificate. You will still guarantee the confidentiality of the data, only not the authentication, that in your scenario is not necessary, since you already do it through the truststore.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.