Secure communication basics

Question

Till now I haven't really studied secure communication and I have some basic questions. Assume there is a browser(the client) and a server. From what I have understood, the server has both a public and a private key. The public key is known by everyone and the private key only by the server. So when the client sends a message to the server, it is encrypted with the public key of the server and only the server can decrypt it(cause only the server has the private key).

Now to my question: What happens when the server wants to send a message to the client? The server encrypts the message with its private key and the client decrypts it with the public key(it is known by everyone). So far so good. But if someone sniff the traffic, he can also decrypt the message, cause everyone knows the public key. How is it secure? I am sure I don't understand something really basic here:(

Thanks in advance!

Best regards, Petar

Answer 1

Simplifying a lot: the client generates a key for symmetric cryptography and sends it to the server, crypting it with the public key of the server. In this way a secure key exchange takes place. From there on client and server use symmetric cryptography with the exchanged key. Standard way is the Diffie-Hellman key exchange which is a little more complicated than the given example.

Answer 2

Secure communications involve not only encryption (which is actually the easy part) but also, and more importantly, authentication.

It is possible to establish encrypted communications between two parties without needing any keys exchanged beforehand (e.g. see Diffie–Hellman key exchange).

The hard part is making sure that whoever you are talking to is trustworthy. This is where public and private keys come in.

So the workflow goes somewhat like this:

1. A connection is made between client and server.
2. The client already knows the server's public key (assymetric cryptography), so it can prove that the other endpoint is who they say they are: the public key is used to decrypt a token that, when validated, shows that it was indeed encrypted with the server's private key.
3. Now that authentication is complete, the two parties use some method like Diffie-Hellman above to establish a shared secret.
4. This shared secret is used as the encryption/decryption key (symmetric cryptography) for all data exchanges for the remainder of the client/server session.
5. When the connection is closed, the above encryption key is discarded. If a new connection is established, the algorithm above will generate a new encryption key for that new session.