From what I understand, when you send information to a website over SSL, you enc

Question

From what I understand, when you send information to a website over SSL, you encrypt the information you send with their public key.

However, if you want to be able to decrypt the information they reply with, you are going to need a private/public key combination yourself. I don't ever recall having been prompted for an RSA key by my browser, or been required to generate one; where does this key come from?

If your browser creates one for you, is it generated once and then stored on your computer forever, or is a new key generated for every session or site?

Explanation / Answer

During the TLS handshake the client will use the public key of the server, which it was passed following the ServerHello message, to encrypt a pre-master secret. It is not the entire session key. In the ClientHello message and ServerHello message the two parties swap random values. The server and the client now use the pre-master secret and the random values to generate the same master secret, which can be used as a session key.

The server's public key is used because in asymmetric cryptography the only person who will be able to decrypt the message will be the holder of the private key.

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.