Symmetrical and Asymmetrical clarification

Hi, i need some clarity on a few things regarding Symmetrical and Asymmetrical encryption and the process of it. I think i have a fairly good understanding of how it is all setup and works but there are a few things that just don't connect with me.

One being, when out of curiosity i use the feature on chrome to look at what encryption and security etc... is being used say on a bank website to look what they use as an example, and it says they're using AES256 for encryption, okay, and then SHA1-HMAC for message integrity and authentication, okay, but then at the end it says it uses RSA for the key exchange mechanism. THIS is what i don't understand, i was under the impression that AES is symmetrical encryption and will use diffie hellman to generate a shared secret key that will be the formula that is used when encrypting with AES and can decrypt the data also at the other end.
So, how is it also using an Asymmetrical encryption for "key exchange", this is what is not clicking with me, there is already one symmetrical key that is being used so how and why is RSA also being used for "key exchange", is it for some kind of authentication that I'm not aware of for username and passwords or something else??? Where does the "Public and Private key pair" for Asymmetrical encryption come into play? is it only used somewhere in the RSA key exchange?

As i say i think i have a fairy decent understanding BUT this one piece of the puzzle is what i'm just not understanding. Can anyone help in explaining it with me?

Cheers.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

OctalDump

They use asymmetric encryption to exchange the symmetric session key. This allows them to have the best of both worlds - public keys to get around the key distribution problem, and symmetric encryption for speed.

Robbo777

Thanks for your help as always, that's great as well i finally understand that now also.
One thing i would like to ask now is when the symmetrical encryption from AES or RC4 is done over SSL, the "session key" is created, what exactly goes into this session key? Is it a symmetrical key that is generated by the browser or encryption algorithm? Or is it simply a kind of session ID similar to a cookie that allows the server to validate the users session? What generates the key? I'm unsure of these things.

Then now i know its encrypted using the public key of the SSL server so it can be sent over the internet and then decrypted using the private key and then the rest of the data that is encrypted using AES can be safely decrypted using the symmetrical key the SSL server has.

OctalDump

This explains the key generation bit. Basically, mathematical magic.

Robbo777

OctalDump wrote: »

This explains the key generation bit. Basically, mathematical magic.

So the session key is done using diffie hellman using an asymmetric formula on a symmetric encryption such as AES etc... ?

Thanks