From my understanding, prior to secure SSL communications, a symmetric key is established between the two parties. Now, if an SSL session were to involve an unsecure wireless access point, would it be possible for an attacker to sniff the airwaves and obtain the established key?
Asked
Active
Viewed 84 times
2 Answers
6
The key exchange in SSL is based on asymmetric cryptography. For example the client might encrypt a secret with public key of the server. Now only the server can decrypt that value, since he is the only one who has the private key for that public key.
A passive listener won't be able to to learn that secret. SSL is be secure against an attacker who sees the complete communication between client and server.
An active attacker can try to mount a man-in-the-middle attack. This means that he impersonates the server and sends a different certificate and thus public key to the client. If the client accepts the certificate the attacker succeeds. That's why certificate validation is essential in SSL.
CodesInChaos
- 106,488
- 23
- 218
- 262
0
Here are known methods to establish a shared secret key over an insecure connection. One of the better known is Diffie-Hellman key exchange, though there are others.
For SSL itself, refer to the SSL documentation.
rossum
- 15,344
- 1
- 24
- 38