Reputation: 4606
How long is an ssl session key valid? And how is it associated with a client?
From what I understand SSL uses asymmetric cryptography to securely exchange a session key generated by the client, which is then used for symmetric encryption. I have a few questions on this
- How long is this session key valid?
- How does the server keep track of which session key is valid for which client? Does the server keep track of this by the client's ip address? (That is session key "A" belongs to client xx.xxx.xx.xx) If yes, couldn't my ip address be same as other people who use the same isp and live in my vicinity?
- Does the server instead use both ip address and port number to keep track of the client? If so, wouldn't the port number change for every HTTP/HTTPS request? Which would mean that the session key cannot be mapped back to the client anymore.
Upvotes: 0
Views: 1196
Answers (1)
Reputation: 310957
From what I understand SSL uses asymmetric cryptography to securely exchange a session key generated by the client, which is then used for symmetric encryption.
No, you don't understand. The session key is derived independently at both ends. It is never transmitted.
- How long is this session key valid?
As long as a piece of string. It is valid until a re-handshake is performed, which can be initiated by either peer at any time.
- How does the server keep track of which session key is valid for which client?
In the SSL Session.
Does the server keep track of this by the client's ip address?
No, by the session ID which is negotiated during the handshake.
(That is session key "A" belongs to client xx.xxx.xx.xx) If yes, couldn't my ip address be same as other people who use the same isp and live in my vicinity?
No. They thought of that, surprisingly enough.
Does the server instead use both ip address and port number to keep track of the client?
No, it uses the SSL session, and also the HTTP session in the case of Web servers.
If so, wouldn't the port number change for every HTTP/HTTPS request?
Yes, which is why they don't use it. They thought about that too.
Which would mean that the session key cannot be mapped back to the client anymore.
Which is why they don't do it. You've just invented yet another obvious vulnerability that would be obviously stupid to implement. You can stop now. They really did think about all this stuff.
Upvotes: 1
Related Questions
- How long is an established SSL connection valid?
- What is the default lifetime of a session?
- What is the lifetime for a session cookie?
- How long does a session[] retain data?
- Where is the session key stored on the client side after SSL handshake?
- Who generates HTTPS session keys?
- When exactly does a php session expire?
- SSL session persistence and secure cookies
- For how long are the sessions valid when the browser is closed?
- Lifetime of the SSL session in https