VietMX Staff asked 3 years ago
When an HTTPS connection is established, the encryption key is “discussed” between the various computers involved before the encrypted connection is established. It seems to me that if the encryption key must be negotiated between the server and the client before the encryption process can begin, then any attacker with access to the network traffic would also be able to monitor the negotiation for the key, and would therefore know the key used to establish the encryption. This would make the encryption useless if it were true. I don’t get why it isn’t true.
It’s all the magic of asymmetric key encryption. Fascinating stuff. Here’s a really simplified version:
- When a client and a server negotiate HTTPS, the server sends its public key to the client.
- The client encrypts the session encryption key that it wants to use using the server’s public key, and sends that encrypted data to the server.
- The server decrypts that session encryption key using its private key, and starts using it.
- The session is protected now, because only the client and the server can know the session encryption key. It was never transmitted in the clear, or in any way an attacker could decrypt (as he doesn’t have private key), so only they know it.
Only the server can decrypt “the session encryption key”, because only the server has that private key. Attackers could try to forge the response containing an encrypted key, but if the server sets up the session with that, the true client won’t speak it because it isn’t the key that the true client set. it’s also important to mention that the public key is signed by a trusted authority, meaning even if the attacker is a “man in the middle”, he can’t pretend to be the server in an attempt to trick the client into encrypting the shared key using the attacker’s public key instead.
