Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL: How the client decrypt message from server

I've read and watched a lot of articles and videos about SSL AES and RSA, but one thing is ALWAYS missing in every explanation( or I just don't get it ) is how the client decrypts sensitive data that comes from the server!(e.g. how much money you have)

I get it that your public key can encrypt anything and send it to the server and anyone can have it, but what do you do when you want to retrieve something from the server? Does it comes just as plain text?

Any of the articles and videos point that out, they all just say that you have a private key that you shouldn't share and a public key that you can encrypt your messages and share it in the internet, but they don't say how the client makes a GET request with a encrypted message and decrypt it so it can be human readable.

As it says in this link about AES:

Asymmetric cryptography works by having two different keys, one for encryption and one for decryption. It's also often called 'public key cryptography' because it's possible to make one key public (allowing someone to encrypt a message) while keeping the other private (only the holder of the private key can decrypt the message encrypted with its related public key).

Any help is welcome!

I will leave some links about web security that I found useful to learn: https://www.coursera.org/learn/internet-history/lecture/L7HzI/security-integrity-and-certificate-authorities

like image 261
betoharres Avatar asked May 06 '15 13:05

betoharres


1 Answers

If you want all the details grab a copy of SSL and TLS: Designing and Building Secure Systems. For a more arid lecture, read RFC2246 The Transport Layer Security (TLS) Protocol.

The short story is this: during the TLS/SSL handshake the client and the server exchange a secret (the PMS, pre-master-secret). This secret is used to derive session keys, initialization vectors and HMAC keys for use by client and server. Each one uses this keys to encrypt and sign everything send from it's side, and each one use the other's key to decrypt and validate the data sent by the other. Nothing ever goes in clear text, in any direction.

Authorization and authentication based on the certificate used is a completely orthognal issue.

like image 174
Remus Rusanu Avatar answered Oct 04 '22 02:10

Remus Rusanu