4

Here is what I understand on SSL communication:

The browser gets public key from the web server of the secured website. The client and server establish session key based on public/private keys and then continue communication through symmetric algorithm during the SSL session.

My questions:

  1. After session key is generated, where is it stored on server side?
  2. Is it stored in web server memory?
  3. And is it stored encrypted?
veryreverie
  • 2,871
  • 2
  • 13
  • 26
George Sun
  • 881
  • 1
  • 10
  • 20

1 Answers1

2

This is what I understand for SSL communication. The browser gets public key from the web server of the secured website.

Well, it gets the entire certificate, which contains the public key, and it gets a lot of other things too, that authenticate that the server owns that certificate, and therefore owns that public key.

The client and server establish session key based on public/private keys

Incorrect. They negotiate a session key based on shared secrets that don't have anything to do with the public or private keys. The public key may be used to encrypt one of those secrets between client and server, but that's a different statement.

and then continue communication through symmetric algorithm during the SSL session.

Correct.

My questions:

After session key is generated, where does it stored in server side? Is it stored in web server memory?

Of course.

And is it stored as encrypted?

No.

Community
  • 1
  • 1
user207421
  • 305,947
  • 44
  • 307
  • 483
  • Hi, can you elaborate the section about how session key is established? I don't think your answer is entirely correct. Isn't the session key computed on the client side using the public key, sent back to the server, and then the server decrypts it with its private keys? And also do you know where the session key is stored on the client? – Hen Feb 24 '16 at 17:06
  • @HenryLin It's too elaborate to elaborate. See RFC 2246 #8.1. Your statement about encrypting a session key is not correct; my answer is. The session key is stored in the session object, whatever that may be in whatever SSL implementation the client uses. – user207421 Feb 08 '17 at 22:06
  • Where does it get stored on client-side / browser? – kamal Apr 22 '20 at 17:02