In public key cryptography we can also use session keys which are symmetric. How

Question

In public key cryptography we can also use session keys which are symmetric. How do the sender (say a server) provides this session key information to its clients?

If the sender (here server) provides the session key by encrypting using its private key, all the clients (including a malicious one) can decrypt (using available public key) and see that session key , right? The server can't use public key to encrypt the session key since none of the clients have private key to decrypt it.

I am wondering what information I missed here to understand the basic idea of distribution of session key?

Explanation / Answer

Normally, the client sends the session key. This means that clients cannot decrypt other session keys.

Although this approach ensures each session is safe from information gathered in other sessions, it doesn't guard the session against an attacker later acquiring the server's key and retrospectively decoding all recorded sessions.

To guard against that threat is termed Perfect Forward Privacy. This can be achieved using ephemeral Diffie-Hellman (EDH,DHE) key exchange.

There is an excellent blog explaining recent improvements in Perfect Forward Secrecy which is well worth reading.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects