I am trying to get my head around how IE negotiates https/SSL with Internet sites.
My understanding is they use asymetric PKI encryption to send each other a shared session key that both server and client use to encrypt and decrypt the communication.
But to send the session key they must authenticate each other.
My thinking is that the Internet web site public key (certificate) is sent to the client to use for encryption of this initial session key. (the client verifies that it is a valid cert first)
The client sends the ecrypted session key that only the website has the private key (certificate)to decrypt.
The client does not have to send a public key to the website?
Put another way is there a default public/private key pair in Internet Explorer for the client computer or is that not necessary?
Or does the client generate the shared session key and encrypt with the Internet website public cert and send to the website and then after that everything is symetric encryption with the session key?