-3

Okay I have read the questions here on how SSL works, but they all focus on symmetric encryption. But I have configured Apache WebServer to use RSA for SSL using the openSSL tool.

Now my question is that how does asymmetric encryption work for SSL ? What goes on behind the scenes ?

My main doubt is that if the browser wants to communicate with the server then it uses the public key given by the server, but if it wants to understand what the server is sending(which in my opinion will be encrypted since it will be in a HTTPS session) how does the browser do that ?

If I am not wrong private keys are not suppose to be shared. So how does this work ?

Heidi
  • 113
  • 2
  • 6

1 Answers1

2

How symmetric and asymmetric cryptography is used in the context of TLS is explained in detail in How does SSL/TLS work?. But since they go in a lot of details there I just highlight the main points regarding your question:

  • Symmetric cryptography (shared key) is used for the encryption of the data.
  • Asymmetric cryptography (public/private key) is used to check that you talk to the expected peer, i.e. for the certificate check.
  • Asymmetric cryptography might also be used in the key exchange, where the shared key for the data encryption is generated. If it used or not depends on the cipher suite.

For the deeper details please see How does SSL/TLS work?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • So let me get this straight. Asymmetric cryptography is not used for data encryption ? It is only to verify to which peer I am talking ? Why not do that with just symmetric encryption ? – Heidi Dec 13 '15 at 13:17
  • 2
    @Heidi: again, [How does SSL/TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) explains all of this in detail. – Steffen Ullrich Dec 13 '15 at 13:21
  • @Heidi because if you want authentication with symetric cryptography, you need to have a secret shared key in common. – Romain Clair Dec 14 '15 at 09:38