Return to Answer

When a TLS/SSL session starts (after the hellos and cipher decisions) the server gives the client its cert. The key in the cert could perform different actions depending on the key agreement algorithm decided on by the client and server.

Let's say they agree on RSA key agreement. This means the cert contains the server's public RSA key and the server has a private RSA key used for decryption, hence private key. The client generates a random sequence called the pre-master secret. The client uses the public RSA key on the cert to encrypt the PMS. The server decrypts the message and gets the PMS. The server and client then perform some random mixing on the PMS, could be a KDF. That master secret is used to derive keys for symmetric encryption and MAC.

Another option: The server and client could perform Diffie-Hellman key exchange in which the client must also generate a public-private DH pair used to exchange AND generate (due to the way DH works the client doesn't choose the PMS) the PMS. The master secret is derived as above. A more modern approach is to use session keys in which the server cert contains its public key for verifying a signature algorithm (RSA-SHA, ECDSA) that it used to sign either an RSA or DHE (the E stands for "ephemeral" and means one-time use keys or session keys) public key for key agreement. Thus the server is not reusing its key agreement public key. This provides perfect forward secrecy: Finding the PriK (long-lived key) of the signature algorithm the server uses to sign its keys does not make all the session keys vulnerable. In addition, finding a session key should allow you to obtain information that would allow you to decrypt traffic that used another session key (the PMS could also be considered a "session key").

You could look up PKI to understand more about how cert verification works which I did not explain. This is where the client makes sure the cert is valid.

Asymmetric crypto is used for key agreement (keys are smaller than messages) due to the high processing power required and symmetric crypto is used for encryption and authentication of the resulting cipher text. Also the term key agreement is different than key exchange (more general). Key agreement means that there is no trusted third party involved in the actual exchange of keys, which is true in the case of SSL/TLS.

When a TLS/SSL session starts (after the hellos and cipher decisions) the server gives the client its cert. The key in the cert could perform different actions depending on the key agreement algorithm decided on by the client and server.

Let's say they agree on the RSA key agreement. This means the cert contains the server's public RSA key and the server has a private RSA key used for decryption, hence private key. The client generates a random sequence called the pre-master secret. The client uses the public RSA key on the cert to encrypt the PMS. The server decrypts the message and gets the PMS. The server and client then perform some random mixing on the PMS, which could be a KDF. That master secret is used to derive keys for symmetric encryption and MAC.

Another option: The server and client could perform Diffie-Hellman key exchange in which the client must also generate a public-private DH pair used to exchange AND generate (due to the way DH works the client doesn't choose the PMS) the PMS. The master secret is derived as above. A more modern approach is to use session keys in which the server cert contains its public key for verifying a signature algorithm (RSA-SHA, ECDSA) that it used to sign either an RSA or DHE (the E stands for "ephemeral" and means one-time use keys or session keys) public key for key agreement. Thus the server is not reusing its key agreement public key. This provides perfect forward secrecy: Finding the PriK (long-lived key) of the signature algorithm the server uses to sign its keys does not make all the session keys vulnerable. In addition, finding a session key should allow you to obtain information that would allow you to decrypt traffic that used another session key (the PMS could also be considered a "session key").

You could look up PKI to understand more about how cert verification works which I did not explain. This is where the client makes sure the cert is valid.

Asymmetric crypto is used for key agreement (keys are smaller than messages) due to the high processing power required and symmetric crypto is used for encryption and authentication of the resulting ciphertext. Also, the term key agreement is different than key exchange (more general). Key agreement means that there is no trusted third party involved in the actual exchange of keys, which is true in the case of SSL/TLS.

When a TLS/SSL session starts(after the hellos and cipher decisions) the server gives the client it's cert. The key in the cert could perform different actions depending on the key-agreement algorithm decided on by the client and server.

Let's say they agree on RSA key agreement. This means the cert contains the server public RSA key and the server has a private RSA key used for decryption, hence private key. The client generates a random sequence called the pre-master secret. The client uses the public RSA key on the cert to encrypt the PMS. The server decrypts the message and gets the PMS. The server and client then perform some random mixing on the PMS, could be a KDF. That Master secret is used to derive keys for symmetric encryption and MAC.

Another option is the server and client could perform Diffie-Hellman key exchange in which the client must also generate a public-private DH pair used to exchange AND generate(due to the way DH works the client doesn't choose the PMS) the PMS. The MS is derived as above. A more modern approach is to use session keys in which the server cert contains it's public key for verifying a signature algorithm(RSA-SHA, ECDSA) that it used to sign either an RSA or DHE (the E means one-time use keys or session keys) public key for key-agreement. Thus the server is not reusing it's key-agreement public key. This provides perfect forward secrecy . In which finding the PriK (Long-lived key) of the signature algorithm the server uses to sign its keys does not make all the session keys vulnerable. In addition finding a session key should allow you to obtain information that would allow you to decrypt traffic that used another session key(The PMS could also be considered a "session key") You could look up a PKI to understand more about how a cert verification works which I did not explain. This is where the client makes sure the cert is valid.

Asymmetric crypto is used for key-agreement (keys are smaller than messages) due to the high processing power required and symmetric crypto is used for encryption and authentication of the resulting cipher text. Also the term key-agreement is different than key-exchange (more general). Key-agreement means that there is no trusted-third party involved in the actual exchange of keys, which is true in the case of SSL/TLS

When a TLS/SSL session starts  (after the hellos and cipher decisions) the server gives the client its cert. The key in the cert could perform different actions depending on the key agreement algorithm decided on by the client and server.

Let's say they agree on RSA key agreement. This means the cert contains the server's public RSA key and the server has a private RSA key used for decryption, hence private key. The client generates a random sequence called the pre-master secret. The client uses the public RSA key on the cert to encrypt the PMS. The server decrypts the message and gets the PMS. The server and client then perform some random mixing on the PMS, could be a KDF. That master secret is used to derive keys for symmetric encryption and MAC.

Another option: The server and client could perform Diffie-Hellman key exchange in which the client must also generate a public-private DH pair used to exchange AND generate  (due to the way DH works the client doesn't choose the PMS) the PMS. The master secret is derived as above. A more modern approach is to use session keys in which the server cert contains its public key for verifying a signature algorithm  (RSA-SHA, ECDSA) that it used to sign either an RSA or DHE (the E stands for "ephemeral" and means one-time use keys or session keys) public key for key agreement. Thus the server is not reusing its key agreement public key. This provides perfect forward secrecy: Finding the PriK (long-lived key) of the signature algorithm the server uses to sign its keys does not make all the session keys vulnerable. In addition, finding a session key should allow you to obtain information that would allow you to decrypt traffic that used another session key  (the PMS could also be considered a "session key").

You could look up PKI to understand more about how cert verification works which I did not explain. This is where the client makes sure the cert is valid.

Asymmetric crypto is used for key agreement (keys are smaller than messages) due to the high processing power required and symmetric crypto is used for encryption and authentication of the resulting cipher text. Also the term key agreement is different than key exchange (more general). Key agreement means that there is no trusted third party involved in the actual exchange of keys, which is true in the case of SSL/TLS.

When a TLS/SSL session starts(after the hellos and cipher decisions) the server gives the client it's cert. The key in the cert could perform different actions depending on the key-agreement algorithm decided on by the client and server.

Let's say they agree on RSA key agreement. This means the cert contains the server public RSA key and the server has a private RSA key used for decryption, hence private key. The client generates a random sequence called the pre-master secret. The client uses the public RSA key on the cert to encrypt the PMS. The server decrypts the message and gets the PMS. The server and client then perform some random mixing on the PMS, could be a KDF. That Master secret is used to derive keys for symmetric encryption and MAC.

Another option is the server and client could perform Diffie-Hellman key exchange in which the client must also generate a public-private DH pair used to exchange AND generate(due to the way DH works the client doesn't choose the PMS) the PMS. The MS is derived as above. A more modern approach is to use session keys in which the server cert contains it's public key for verifying a signature algorithm(RSA-SHA, ECDSA) that it used to sign either an RSA or DHE (the E means one-time use keys or session keys) public key for key-agreement. Thus the server is not reusing it's key-agreement public key. This provides perfect forward secrecy . In which finding the PriK (Long-lived key) of the signature algorithm the server uses to sign its keys does not make all the session keys vulnerable. In addition finding a session key should allow you to obtain information that would allow you to decrypt traffic that used another session key(The PMS could also be considered a "session key") You could look up a PKI to understand more about how a cert verification works which I did not explain. This is where the client makes sure the cert is valid.

Asymmetric crypto is used for key-agreement (keys are smaller than messages) due to the high processing power required and symmetric crypto is used for encryption and authentication of the resulting cipher text.

When a TLS/SSL session starts(after the hellos and cipher decisions) the server gives the client it's cert. The key in the cert could perform different actions depending on the key-agreement algorithm decided on by the client and server.

Let's say they agree on RSA key agreement. This means the cert contains the server public RSA key and the server has a private RSA key used for decryption, hence private key. The client generates a random sequence called the pre-master secret. The client uses the public RSA key on the cert to encrypt the PMS. The server decrypts the message and gets the PMS. The server and client then perform some random mixing on the PMS, could be a KDF. That Master secret is used to derive keys for symmetric encryption and MAC.

Another option is the server and client could perform Diffie-Hellman key exchange in which the client must also generate a public-private DH pair used to exchange AND generate(due to the way DH works the client doesn't choose the PMS) the PMS. The MS is derived as above. A more modern approach is to use session keys in which the server cert contains it's public key for verifying a signature algorithm(RSA-SHA, ECDSA) that it used to sign either an RSA or DHE (the E means one-time use keys or session keys) public key for key-agreement. Thus the server is not reusing it's key-agreement public key. This provides perfect forward secrecy . In which finding the PriK (Long-lived key) of the signature algorithm the server uses to sign its keys does not make all the session keys vulnerable. In addition finding a session key should allow you to obtain information that would allow you to decrypt traffic that used another session key(The PMS could also be considered a "session key") You could look up a PKI to understand more about how a cert verification works which I did not explain. This is where the client makes sure the cert is valid.

Asymmetric crypto is used for key-agreement (keys are smaller than messages) due to the high processing power required and symmetric crypto is used for encryption and authentication of the resulting cipher text. Also the term key-agreement is different than key-exchange (more general). Key-agreement means that there is no trusted-third party involved in the actual exchange of keys, which is true in the case of SSL/TLS