SSL Public private key logic

I am reading SSL security logic articles. I am confused a bit. Server has private key and server sends client public key. An encrypted data with public key only can be decrypted by private key.

1- Client side has not a private key. How does client solve the server data?

2- if public key sending over internet, somebody can Access the key who listened the network.

3- encrypt and decrypt should have an algorithm. Do all browsers knows that algorithm? if browser companies knows that encrypt algorithm, this is a security problem.

---

The public and private keys aren't used for data encryption in SSL. They are only used in the authentication phase. That's why the client doesn't need a private key, unless the server requires client authentication. The actual encryption is done via symmetric encryption using a negotiated session key.

There are resources on the Internet that state otherwise, notoriously the Linux Documentation Project page. They are wrong. The normative reference is RFC 2246.

Your remark about knowing the encryption algorithm is quite incorrect. First, the client has to know the algorithm to be able to encrypt and decrypt. Second, it was established many years ago that security-by-obscurity simply does not work. True cryptographic security comes from well-designed and well-tested algorithms, however well-known they may be, and key length.

链接地址: http://www.djcxy.com/p/3708.html

上一篇: 我们如何改进SSL握手以提高安全性？

下一篇: SSL公共私钥逻辑