On Wed, Apr 16, 2014 at 9:39 PM, TGLASSEY <tglassey@earthlink.net> wrote:
BAE did this cute poster on the attack model
https://image-store.slidesharecdn.com/6f0027d2- c58c-11e3-af1f-12313d0148e5-original.jpeg?goback=%2Egde_1271127_member_ 5862330295302262788
I'm guessing accuracy probably wasn't their primary concern, but... The SSL handshake shown is wrong. Obviously it's over-simplified, and that's to be expected, but to claim that the client generates and session key and then "Encrypts it with the servers private key" and sends it over the wire is outright wrong. The session key in and of itself is *never* transmitted over the wire (encrypted or not). Exactly what is sent depends on the exact algorithm, but presuming they are describing RSA key exchange then it's the "pre-master secret", which is then used by both the client and the server (along with other information they have exchanged) to both independently generate the session key. Semantics perhaps, but... Scott