I've got it now. I knew I had to be missing something fundamental, because if I wasn't, the whole foundation of SSL would be in jeopardy.
The pages I read talked about the client key exchange message sending the premaster secret from the client to the server, but neglected to mention that the client encrypts it using the server's public key. And once it's encrypted, the only way to get it back is using the server's private key. My brain fart was that I stupidly thought the premaster secret was sent in the clear. In hindsight, I suppose it would be rather dumb to call it a secret if it were sent in the clear. Since you have to know the premaster secret to compute the master secret, you'd either have to know the server's private key or somehow obtain the premaster secret from the client before it encrypted it. Well, thank god I've confirmed for us all that SSL is really secure after all. I'm sure you were all very worried about it. ;-) On Aug 10, 2007, at 4:03 PM, Jeff Morriss wrote: > Derek Shinaberry wrote: >> Can someone help me understand why you must have the server's private >> key in order to be able to decrypt the session between the client and >> the server? It seems to me that if the server and client can conduct >> the session without the client ever knowing the server's private key, >> then a capture of the session on the client's side ought to be able >> to decrypt the session using just what is in the SSL handshake >> exchange. What don't I understand about the process that precludes >> this behavior? > > You might want to read: > > http://en.wikipedia.org/wiki/Public_key_cryptography > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@wireshark.org > http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
