Subject: | |
From: | |
Reply To: | Steve Dirickson (Volt) |
Date: | Mon, 1 Oct 2001 18:11:31 -0700 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
> As I understand it.... When I connect to a site over https, I
> receive their
> certificate or public key. When I send data to the site, it
> is encrypted
> using their public key and can only be unencrypted by their
> private key which
> they keep locked away with a PEM phrase & restrictive
> permissions. Now, how
> exactly is the data that is sent to my browser efrom the web server
> encrypted? How does my browser unencrypt it?
That isn't quite how it works. Use of server or client certificates is optional; even if used, they have nothing to do with securing the data exchanged--certificates are used only to authenticate that the other end is really who it claims to be.
The encryption methods, keys, and other security parameters used for a session are negotiated by the two ends as part if the initial handshake protocol. The full-blown handshake looks like this (from RFC 2246):
Client Server
ClientHello --->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<--- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished --->
[ChangeCipherSpec]
<--- Finished
The "Hello" and "Exchange" components are where the two parties offer each other their cryptographic capabilities, decide what will be used, set up the required parameters, and then, at [ChangeCipherSpec], switch to the agreed-upon security.
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|