man in the middle attack

2018-05-30 06:19:03

It is said when you use ssl then you prevent a man in the middle from stealing information from the server to the client or vice verse. In my case stealing the jsonwebtoken. What i understand also from other answers is that ssl uses a private key and a public key. The private key is stored on the server and the public key is given out to the clients. You can encrypt information with the private key but you can't decrypt it with the private key for that you need the public key. Also you can encrypt information with the public key but you can't decrypt it with the public key therefore you need the private key.

How i currently look at it is when a server sends the public key to the client then a man in the middle is also able to get a copy of the public key and he will be able to decrypt information from the server to the client. Am i right on this or do i miss something. I understand the man in the middle can't decrypt information from the client to the server because he doesn't have the private key but if he already can decrypt the information from the server to the client then he is able to steal the jsonwebtoken which enables him to login on behalf of the client.

For me it would be more logic when a client has a private and a public key as well. The private key should be stored on his computer and the public key is send to the server. So the server encrypts information which is send to the client with the public key of the client instead of his own private key. The private key on the server is then used only to decrypt information from the client. In this case you would have a 2 way encryption and the man in the middle is not able to decrypt any information at all. But so far i understand it's not working this way.

Maybe i'm completely wrong or maybe i overlooked something. Hopefully someone can light some things up a bit because it's not 100% clear to me. Thanks in advance for your help.

The server public/private key is only used to establish a session key. Not to encrypt data sent during the session.

This works by the client generating the pre-master secret and encrypts it with the server public key. Then both the client and server can create a session key using the pre-master secret and no eavesdropper or man-in-the-middle can know it.

Also, many more things are done to provide confidential and authenticated communications.

链接地址: http://www.djcxy.com/p/3712.html

上一篇: 2路SSL / TLS配置

下一篇: 男子在中间发作