PKI/Certificates Question

Ok, trying to make sure I understand this whole asynchronous key thing.

Let's say I go to Amazon.com to do some shopping. In order for the connection to be secure, I would download the Public Key of their's(automatically & behind the scenes) created and published by say, Verisign, and then use it to send encrypted packets to amazon.com. With there Private key, they can decrypt the packet and verify that packet has not been tampered with .

What I don't get is, how do they do the same thing to me automatically? I don't have a public/private key generated by a public CA and even if I did, I wouldn't know how to publish it. If it was published, how would Amazon.com get it?

Is there something I am missing when it comes to SSL/TLS?

Find more posts tagged with

Comments

Agent6376

I'm just learning about this as well, so I may be wrong on this. From what I understand you're using their public key to send the information back, not your own. Once you download the certificate, the website establishes trust with you. You send info with the public key and it decrypts it with the private key, then it sends you info with the private.

Anyone who can explain it better or knows about it more than I do, please chime in. I'd like to know this as well.

genXrcist

Agent6376 wrote: »

I'm just learning about this as well, so I may be wrong on this. From what I understand you're using their public key to send the information back, not your own. Once you download the certificate, the website establishes trust with you. You send info with the public key and it decrypts it with the private key, then it sends you info with the private.

Anyone who can explain it better or knows about it more than I do, please chime in. I'd like to know this as well.

Yep, and this makes sense but then how does Amazon.com send something to you? If they encrypt with their private key, then a man-in-the-middle who has their public key can decrypt it before it gets to me, right?

My thought is that somehow SSL/TLS fixes this by establishing some sort of comparable Ipsec handshake process allowing us to generate new keys for that single-instance communication?

Perhaps?

dynamik

The client will randomly generate a symmetric key, encrypt that with the server's public key, and send it back to the server. PKI/asymmetric keys are just used for the symmetric key exchange since that type of encryption is more resource-intensive. The symmetric key will be used for encryption from that point on.

genXrcist

Oh!!! I got it, makes perfect sense now. Thanks Dynamik!!