An example of key exchange using public/private keys

• SSL (Secure Socket Layer) and TLS (Transport Layer Security) use public/private keys to exchange a secret key used during a session

• The SSL handshake consists of several steps, as follows:

• Step 1: The client contacts the server and sends SSL version number, a random number X, and some additional information

• Step 2: The server sends the client the SSL version number, random number Y, and its public key (packaged into a certificate)

• Step 3: The client verifies that the server is who is says it is by examining the certificate (more on this in a bit)

• Step 4: The client creates a “premaster secret” using X, Y, and other information. It encrypts the secret using the server’s public key.

• Step 5: If the server has requested authentication, the client sends its own certificate and the premaster secret to the server

• Step 6: The server authenticates the client by examining the client’s certificate, uses its private key to decrypt the premaster secret, then uses it to generate the master secret. The client also generates the master secret.

• Step 7: Both the client and the server use the master secret to generate the session secret key

• Steps 8 (9): The client (server) sends a message to the server (client) telling it that it will use the secret key. It sends a second message encrypted with the secret key