How SSL works in web traffic?

I was watching a tutorial video related to AD FS in Windows 2012.
When setting up trust relationship between two AD FS servers, I'm not quite understanding how SSL/TLS works in terms of Private/Public Key. Maybe it would be the same situation between a website and users accessing it.
I read various articles related to SSL online, still not clear how SSL works.

My understanding of encryption of SSL traffic between a website and users;
Server has a private key and keep in its key store.
Then, server distribute Public keys to users and users download the Public key when accessing through a web browser.
Then, the user computer encrypts data using the public key and send to the web server.
Then, the web server decrypts data using its private key.
At this stage, the traffic is secured. Any middle man can't not decrypt data on the path.

But, when the web server sends data to the user computer, how the traffic is secured?
The web server encrypts data using private key and sends data to the user computer.
Since public keys are distributed to anyone, a middle man can grab the public key and decrypts data???

I guess the situation is the same between AD FS servers. If there are mutiple AD FS trusts, multiple trust partners have the same Public Keys. How traffic from a private key holder to a public key holder is secured?
LVL 1
crcsupportAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ozoConnect With a Mentor Commented:
The client sends the server a random key, which the client encrypts with the servers public key but which can only be decrypted with the servers private key.
0
 
crcsupportAuthor Commented:
So the private key is used only once to decrypt the first communication data to extract the random key generated by the client, then use the random key so on?
0
 
ozoCommented:
Yes.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
crcsupportAuthor Commented:
I don't know why this very important piece of process is omitted on many online SSL documents.
Thanks!!!
0
 
arnoldCommented:
While ssl/tls are tothe means to secure data exchanges, the AD fs client server setup is different from web traffic.
The AD FS both have to have verifiable certificates (identity assurance)

in web traffic, only the server has a preset private/public key which is presented within the certificate.  During the initial connection, the two sides negotiate the means of communication. the client browser generates a key pair (private/public) that will be used for this session only.
As ozo pointed out, the private key whether preset (server) or randomly generated (client) is the only means by which encrypted data can be decrypted.
Server private key decrypts data sent by the client that used the server public key to encrypt.
The server using client public key to encrypt responses sent to the client
Client uses its randomly generated private key to decrypt encrypted data sent by the server.
0
 
crcsupportAuthor Commented:
Arnold, I am sorry, I should have waited to give points to you. That's also the important point. A client generates a key pair (private/public key) as well, not just a single random key.
I really had hard time to understand how this works because there's no such means to show how this actually works visually. The only way to understand is by text. Now it all makes sense. The important part is what client does. They also  generate keys as well.


I hope anyone having hard time to understand PKI would find the above two posts are very helpful.
0
 
arnoldCommented:
Not an issue on point awarding, ozo's post answered your question to your satisfaction.

The SSL/TLS is covered in more detail when discussing the mechanics/communication negotiation process that deals with establishing the connection.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.