0

My understanding of Public Key Cryptography is that the word alleycat will be encrypted in to the same encrypted string each time if the same public key is used (which is my understanding of how HTTPS works for any given web server).

Does this mean that someone could intercept my HTTPS headers each time I try to log in to a "secure" site, and log in as me by using the same "encrypted" headers?

Callum
  • 435
  • 1
  • 4
  • 14

2 Answers2

0

HTTPS does not have headers of its own. It simply uses an encrypted "tunnel" to send regular HTTP requests. AFAIK sending the same cleartext twice over SSL/TLS does not necessarily send the same data each time.

The long and the short of it is that current implementations of public-key cryptography are pretty tight, and trying to outsmart them is unwise until you've studied crypto for a few years.

Tullo_x86
  • 2,573
  • 25
  • 27
  • "AFAIK sending the same cleartext twice over SSL/TLS does not necessarily send the same data each time" <-- this is what I need confirmation on. – Callum Mar 04 '11 at 05:16
  • I'm not a crypto expert, but I'm sure there are many sources on the net that you could look up :) From my 2 minutes on Wikipedia, it apparently depends on the cipher suite being used, but in my limited understanding on the matter, any commonly-used cipher should "rotate" to prevent frequency analysis. – Tullo_x86 Mar 06 '11 at 23:58
0

Https does not use public key encryption for transmitting data like http requests, it is used for setting up symmetric random keys. So your value might be encoded to the same ciphertext during one session, but not in any other.

Added: SSL / TLS uses random numbers in the client_hello and server_hello handshake messages to prevent replay attacks

Stephan B
  • 3,671
  • 20
  • 33