As I understand it, SSL involved the use of a public-private key pair. How does

Question

As I understand it, SSL involved the use of a public-private key pair. How does this enable two-way communication?

Suppose I have some server with which I wish to communicate securely. I connect to it, and it supplies me a certificate, which contains its public key (assume the certificate is valid). I then take my request, and encrypt it with this public key, and transmit the resultant ciphertext to the server. This communication is secure from eavesdropping. But how does the server return to me my results securely? I lack a public/private key pair, and have no certificates.

Explanation / Answer

If you have secure communications in one direction, you can always have secure communications in both directions. The sender could just generate a random string, send it to the other side, and then they could communicate bidirectionally using that random string as a key.

The sole purpose of the public-private key pair is for authentication, not encryption. If I want to send my credit card information to Amazon, I want to make sure I'm really talking to Amazon and not someone else. Since Amazon doesn't care who I am (because I'll send a user and password anyway), there's no reason I need a public-private key pair or certification.

With no certificate on either side, we could still establish a connection secure from eavesdropping. But neither side would have any idea who they were talking to.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.