can break the encryption. And, what's worse, no one[1] can prove (or
needed with brute force.
I've got it now. I knew I had to be missing something fundamental,
because if I wasn't, the whole foundation of SSL would be in jeopardy.
The pages I read talked about the client key exchange message sending
the premaster secret from the client to the server, but neglected to
mention that the client encrypts it using the server's public key.
And once it's encrypted, the only way to get it back is using the
server's private key. My brain fart was that I stupidly thought the
premaster secret was sent in the clear. In hindsight, I suppose it
would be rather dumb to call it a secret if it were sent in the clear.
Since you have to know the premaster secret to compute the master
secret, you'd either have to know the server's private key or somehow
obtain the premaster secret from the client before it encrypted it.
Well, thank god I've confirmed for us all that SSL is really secure
after all. I'm sure you were all very worried about it. ;-)
On Aug 10, 2007, at 4:03 PM, Jeff Morriss wrote:
Derek Shinaberry wrote:
Can someone help me understand why you must have the server's private
key in order to be able to decrypt the session between the client and
the server? It seems to me that if the server and client can conduct
the session without the client ever knowing the server's private key,
then a capture of the session on the client's side ought to be able
to decrypt the session using just what is in the SSL handshake
exchange. What don't I understand about the process that precludes
this behavior?
You might want to read: