views:

23

answers:

1

I have a small confusion on SSL handshake between browser and server in a typical https web scenario:

What I have understood so far is that in the process of SSL handshake, client (browser in this case) encrypts a randomly selected symmetric key with the public key (certificate received from server). This is sent back to the server, server decrypts it (symmetric key) with the private key. This symmetric key is now used during rest of the session to encrypt/decrypt the messages at both the ends. One of main reasons to do so is given as faster encryption using symmetric keys.

Questions 1) How does browser pick and generates this "randomly" selected symmetric key?

2) Do developers (or/and browser users) have control on this mechanism of generating symmetric keys?

+1  A: 

Browser just generates random number which is then called symmetric key and encrypts it with server's public key. It should be as random as possible to prevent potential attacks. It can be done using cryptographic libraries or manually.

The only one who has control over this process is developer of browser. Users don't have access to it, it is completely transparent to them.

Andrey