• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

SSL Certificate and Public Key Cryptographic

I have Some Problem In SSl Certificate Concept :

I read that when I Connect to Site have ssl certificate like paypal.com , First the site send to my browser his certificate and public key , then browser use the public key to encrypt A session key with its Private key and send it to server ...
any body can explain for me this process and what is browser private key and how to see it ?
after handshake between browser and Site  how data transfer between them like if i transfer money ?
In this case Where the process use hashing ?
Finally How i can generate public and private key and what software to encrypt message ?
  • 2
  • 2
1 Solution
There are many webs sites that explain how the process works:


Depending on what you want  you self signed cert to do, there are a few ways you can do this:
selfssl from the IIS Resource kit

What email system/we service are you intending to use ?
ParanormasticCryptographic EngineerCommented:
Your understanding is a little off - the client's private key normally is not required (client usually doesn't even have a certificate unless using "mutual authentication" / "client certificate authentication", which is uncommon) the above links are useful, but here is the quick overview

- Server sends certificate to client browser
- Browser checks to see if trusted
 = issued from a trusted CA like VeriSign
 = validity dates are current / not expired
 = name of site matches subject name (or subject alternative name) of certificate
 = not revoked
- Handshake between server and client for negotiating best supported synchronous key strength
- Browser generates synchronous key (RC-4, AES-256, etc.) to be used as the session key
- Browser encrypts session key with server public key and sends to server
- Server decrypts session key with server private key
- Regular communication commences with either client or server encrypting data using session key and the other decrypting using the same session key.

I'm not really sure how to check it in IE offhand - in most other browsers (e.g. FireFox, Opera, etc.) you can click the gold lock and somewhere in the detailed information it will tell you what kind of session key is being used.  To actually view the session key you would need to find some program that does that - that starts getting into a touchy area for methods of hacking SSL sessions, which you can google but I'm not going to get into in the forums - yes there are ways of attacking SSL, however they tend to be very complex and not very common, and typically easily detectable if you don't accept untrusted certificate warnings that are presented to you by the browser.
abu_qusyAuthor Commented:
Thank all,
but Paranormastic:
What you mean by this
(client usually doesn't even have a certificate unless using "mutual authentication" / "client certificate authentication",and give me info. a bout methods of hacking SSL sessions, and how to see Session Key
please give me good tutorials a bout ways of attacking SSL
abu_qusyAuthor Commented:
Please Site like paypal have mutual authentication , her Clinets have Private Key ? and what is it  and clinet the connect to windows server have rivate  key ?
ParanormasticCryptographic EngineerCommented:
Very few commercial sites use client authentication.  There are other secure methods for signing in, but that is done within the authentication processes to the site, not for allowing the SSL session to be created in the first place.  Having an authenticated SSL session does not mean that you are necessarily going to be authenticated to the protected site.

Normally only the client would use the server's public key from the certificate to encrypt session handshake info, and the server would use its private key to decrypt it.  With mutual authentication an additional process is added where the server asks the client for its authentication cert, the client supplies it, the server validates it as being authentic and from the appropriate trusted CA, then provides the client with some information encrypted with the client's public key such that only the client can decrypt it using its own private key, and then the client sends the challenge response back encrypted with the server's public key, which the server then decrypts with its own private key - if all goes well then they continue on with the handshake to negotiate cipher strength and create a session key to use like they would in a normal SSL handshake.  Once that's all set up then the web page is securely delivered through the SSL tunnel for your logon page or whatever.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now