Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL: How the client decrypt message from server

Tags:

security

ssl

cryptography

encryption

I've read and watched a lot of articles and videos about SSL AES and RSA, but one thing is ALWAYS missing in every explanation( or I just don't get it ) is how the client decrypts sensitive data that comes from the server!(e.g. how much money you have)

I get it that your public key can encrypt anything and send it to the server and anyone can have it, but what do you do when you want to retrieve something from the server? Does it comes just as plain text?

Any of the articles and videos point that out, they all just say that you have a private key that you shouldn't share and a public key that you can encrypt your messages and share it in the internet, but they don't say how the client makes a GET request with a encrypted message and decrypt it so it can be human readable.

As it says in this link about AES:

Asymmetric cryptography works by having two different keys, one for encryption and one for decryption. It's also often called 'public key cryptography' because it's possible to make one key public (allowing someone to encrypt a message) while keeping the other private (only the holder of the private key can decrypt the message encrypted with its related public key).

Any help is welcome!

I will leave some links about web security that I found useful to learn: https://www.coursera.org/learn/internet-history/lecture/L7HzI/security-integrity-and-certificate-authorities

like image 261
betoharres Avatar asked May 06 '15 13:05

betoharres

1 Answers

If you want all the details grab a copy of SSL and TLS: Designing and Building Secure Systems. For a more arid lecture, read RFC2246 The Transport Layer Security (TLS) Protocol.

The short story is this: during the TLS/SSL handshake the client and the server exchange a secret (the PMS, pre-master-secret). This secret is used to derive session keys, initialization vectors and HMAC keys for use by client and server. Each one uses this keys to encrypt and sign everything send from it's side, and each one use the other's key to decrypt and validate the data sent by the other. Nothing ever goes in clear text, in any direction.

Authorization and authentication based on the certificate used is a completely orthognal issue.

like image 174
Remus Rusanu Avatar answered Oct 04 '22 02:10

Remus Rusanu
Sign in to Comment

Related questions

Improving Login-Security through denial of Copy & Paste?
Does Java have a built-in Antivirus? Is it true?
Are Session Fixation Attacks in MVC 5 still an issue
How to integrate Spring Security and GWT?
How To Properly Handle Passwords In C#
Best method to secure connection to firebird over internet
Is there a way to restrict untrusted container scheduler?
WebSocket authentication security
Which API Gateway is production ready and provides good performance & features? [closed]
XMLHttpRequest in google-chrome is not reporting progress events
How to secure a small php api with public and private key
Authorisation in microservices - how to approach domain object or entity level access control using ACL?
Can I trust my environment variables?
Is Java ReDos vulnerable?
Detecting Keyboard Hooks
How to use id-aes256-GCM with Node.JS crypto? "TypeError: DecipherFinal fail"
JSON Web Token expiration
How do I use browser fingerprint in my website?
Can a Shadow DOM secure my elements?
What's the difference between retrieving WindowsPrincipal from WindowsIdentity and Thread.CurrentPrincipal?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!