okay this might sound really dumb and i have asked a number of my friends already but still do not understand

when a client and server establish a secure connection there is some ssl handshake and then public keys private keys and symmetric keys are exchanged right?

from the way i see it at some point (ie. the very first communication) some information about keys must be sent without being encoded or else the recieving end could not decode data right? couldn't someone use this data to recieve the data and decode it?

i'm proly wrong so feel free to correct me.

Originally posted by homeydontplaydat
when a client and server establish a secure connection there is some ssl handshake and then public keys private keys and symmetric keys are exchanged right?
Close but no cigar :)

The simplified explanation :

SSL uses two kinds of Encryption:
- a public/private key encryption to initiate the connection
This method of encryption uses an algorithm such that a message which is encrypted with a public key can only be decrypted by the corresponding private key.
- a symmetric key encryption for communication
This method of encryption works on the basis of a shared secret. The two parties communicating must both have the *exact same* key to encrypt and decrypt messages.

Symmetric key encryption is generally harder to break than public/private key encryption.


What happens when you initiate an ssl connection:
- The client notifies the server
- The server sends its public key to the client
- The client then generates a secret key, and encrypts it using the servers public key
- The server can decrypt the client message using its private key, and then use the secret key for communication

We now have completed the SSL Handshake and have a secure communications channel.

There is a lot more coing on in the backgroudn, like selecting the exact algorithm used for encryption, but this explains the basics (I hope).