1

I know much has been written on this topic, but I am still stuck on some on the details of TLS handshake and I would like to have a better understanding of what happens. I've been using several sources to learn more, but my basic outline comes from this CloudFlare article., which details the high level steps of a handshake as...

1. Client hello
2. Server hello
3. Server's digital signature
4. Digital signature confirmed
5. Client DH parameter: 
6. Client and server calculate the premaster secret
7. Session keys created
8. Client is ready
9. Server is ready
10. Secure symmetric encryption achieved

I'm particularly struggling to understand step 4, where the client verifies the handshake from the server. From other sources, I understand the following steps...

 1. Server hashes the previous messages of the handshake
 2. Server encrypts this hash, the output is the signature
 3. Sever sends this encrypted message to the client
 4. The client takes previous messages, hashes them, then decrypts the signature and ensures the hash values match.

Where I get lost is how would the client be able to decrypt anything encrypted by the server, as the public key only encrypts. I imagine I'm missing a step, or fundamentally misunderstanding the signature step. Any help understanding that would be greatly appreciated.

DoubtingThomas3005
  • 13
  • 2

1 Answers1

0

The confusion stems from:

2.  Server encrypts this hash, the output is the signature

There is a common misconception that signing a message is the same as encrypting the message with the primary key. But, this notion is fundamentally incorrect, and leads to the type of confusion that seems to be at the root of this questions. See What happens when I encrypt something with my RSA Public Key? for more info.

mti2935
  • 21,098
  • 2
  • 47
  • 66