谁的密钥用于加密 HTTPS 响应? [英] Whose key is used to encrypt a HTTPS response?
问题描述
我有一个依赖 HTTPS 建立的网络服务器.因此,我的服务器维护其私钥并发布任何客户端都可以用来加密其请求的公钥.由于我的服务器是唯一一个拥有私钥来解密使用服务器公钥加密的任何消息的服务器,因此任何以这种方式发送的请求都可以被认为是安全的.
I have a web server built up relying on HTTPS. So, my server maintains its private key and publish a public key that any clients can use to encrypt their request. Since my server is the only one who has the private key to decrypt any message encryped using server's public key, any request sent this way can be considered secure.
但是我的问题是在响应部分.当服务器将响应发送回客户端时,服务器将使用谁的公钥来加密响应消息?
However my question is at the response part. When the server sends the response back to the client, whose public key will the server use to encrypt the response message?
我假设服务器将使用客户端的公钥来加密响应(默认情况下?还是配置时?).如果是这样,服务器是从它发送给服务器的请求中知道客户端的公钥,还是以其他方式知道?
I assume the server will use client's public key to encrypt the response (by default? or upon configuration?). If so, does the server knows the client's public key from the request it sends to the server, or somehow else?
更新:如果我理解错误,那么在以后的通信中,每一方如何知道如何解密另一方发送的消息?某些密钥是共享的还是以某种方式共享的?
谢谢!
推荐答案
公钥不直接用于加密 HTTPS 连接上的任何底层 HTTP 流量;HTTP 请求和 HTTP 响应都不会以这种方式加密.相反,在初始 SSL 握手期间,客户端和服务器之间会协商一个特定于会话的对称密钥,然后使用该对称密钥对 HTTP 连接上双向的所有流量进行加密.
Public keys are not directly used to encrypt any of the underlying HTTP traffic on an HTTPS connection; neither the HTTP request nor the HTTP response are encrypted this way. Rather, during the initial SSL handshake, a session specific symmetric key is negotiated between the client and the server, and it's the symmetric key that is then used to encrypt all traffic on the HTTP connection in both directions.
协商对称密钥的具体机制取决于客户端和服务器之间协商的具体密码套件.这种协商总是涉及服务器的公钥和客户端发送的值;它还可能涉及诸如客户端公钥或来自服务器和客户端的单独连接特定公钥之类的项目.
The specific mechanism by which the symmetric key is negotiated depends on the specific cipher suite that is negotiated between client and server. This negotiation always involves the server's public key and a value sent by the client; it may also involve items like a client public key or separate connection specific public keys from the server and client.
可以在 RFC 5246 中找到更多详细信息,从这里开始:
Additional detail can be found in RFC 5246 starting here:
https://www.rfc-editor.org/rfc/rfc5246#section-7.3
这篇关于谁的密钥用于加密 HTTPS 响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
