Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Who generates HTTPS session keys?

Some sources says that the web browser generates the session key. Now if the web browser generates it then its vulnerable for replay attacks.

Also some sources says that the server generates a part of it and the rest the client generates. How does HTTPS generate session keys?

like image 974
user574183 Avatar asked Jan 21 '11 09:01

user574183


1 Answers

Both the client and the server generate a Nonce which is used along with other data to generate the "Pre-Master Secret". Even after the connection has closed a session can be resumed and the same "Master Secret" is used. All of this is covered in The first few milliseconds of an HTTPS Connection.

like image 181
rook Avatar answered Sep 29 '22 00:09

rook