How a secure SSL tunnel is established.
Client makes a request to server
Server sends its Public Key to Client.
The Public Key is sent in form of a Digital Certificate. The browser verifies the digital certificate before accepting the public key sent by server to initiate the SSL process.
As Client does not have a Public Key, it (browser) generates a Random Key
This Random Key is then encrypted by using Server's Public Key.
This encrypted Random Key is then sent to the Server. As the Random Key is encrypted by using Server's Public Key only Server's Private Key can decrypt it. So it is assumed secure as long as the Private Key of Server is kept secure
Server uses its Private Key to decrypt the Random Key
Now both Client and Server have the same key, so they can use symmetric encryption now.
So a symmetric encryption tunnel is established.
This symmetric encryption tunnel is not used for data encryption directly. As it is established by Client's Random Key it is susceptible to the attacks. So this is used only for a moment and not for a long time for data encryption.
This symmetric encryption tunnel is temporary and is used to negotiate a Final Key in the SSL process
This Final Key negotiated is used to establish the encrypted tunnel for data.
CEH | ECSA | OPST | OPSA
Sisir Kanta Panda
CISSP | ISO 27001 LA
CEH | ECSA
CEH | ECSA | EDRP | CEI
Security+ | CEH
K. P. Mishra
ISO 27001 LA | CISA
Digital Marketing Expert