Uploaded image for project: 'Product Technical Learning'
  1. Product Technical Learning
  2. PTL-14922

Partner Feedback for DO378-3.8

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • DO378
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • en-US (English)

      Please fill in the following information:

      URL:  
      Reporter RHNID:  
      Section Title:                                                                        

      Issue description

      Below is the feedback from partner for the course Quarkus-Certification (DO378-3.8).

      "In the Lab (Red Hat Cloud-native Microservices Development with Quarkus) in Section 5.2 "Quiz: Securing Communication between Microservices by using Transport Layer Security (TLS) and Cross-Origin Resource Sharing (CORS)" you ask following question:

      "Which of the following statements about TLS is correct?"

      The answers from my point of view do not mention a correct option and the answer you indicate as correct is wrong: "TLS uses X.509 certificates to encrypt network traffic. The server encrypts the traffic with a private key. The client decrypts the data by using the server's public key."

      If using Public-Key Cryptography for encryption (which is a bad practice) the server must use the public key of the client to encrypt the data that it wants to send to the client. The client will then use its own private key to decrypt the data. The server must never have access to the private key of the client.

      However, TLS does not use asymmetric keys for encryption but a derived symmetric key (using HMAC). If you are talking about Symmetric-Encryption (thinking of TLS's derived secrets), then it could be right. But then, I think the answer is misleading because you still speak of a public and a private key. In symmetric encryption they do not exist. There is only one key which must be kept secret by all involved parties (here: the client and server). In the case you wanted this answer, I suggest to speak of a "derived secret", "secret" or "secret key", which would make it more clear and correct from my perspective.

      A colleague of mine who is a security professional also thought, that it would be ok to use TLS and the terms public/private keys when talking about authentication and not encryption. Maybe you could also pose the question this way. But then still change the usage of public and private keys in the answer.

      I think this is a copy-paste failure, but it's conceptually wrong. To promote good security practices and eliminate misleading information I suggest fixing this issue.

      Sources:

      Steps to reproduce:

       

      Workaround:

       

      Expected result:

              gls-curriculum-ocp-adv@redhat.com PTL - AppDev Team
              rh-ee-ssama Shaukhi Sama
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: