How do I get symmetric key generated in SSL handshake?

2018-06-07 02:13:22

During SSL handshake the client encrypts generated pre-master secret with the server's public key and sends to the server. Both Server and Client perform steps to generate the master secret with the agreed cipher. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session

http://www.symantec.com/connect/blogs/how-does-ssl-work-what-ssl-handshake

How do I get that symmetric key, so that I can store that into database and use the same every time client connects?

Both the server and client should save that key and never do handshaking process again. Next time(even after disconnecting) they should directly start the communication using symmetric key over https.

In short, I want SSL session to last forever.

EDIT Android device is the client. Client-Server exchange only few bytes data whenever client gets online. SSL is overhead in this case, isnt it ?

How do I get that symmetric key

You can't in Java.

so that I can store that into database and use the same every time client connects?

You can't in SSL.

Both the server and client should save that key and never do handshaking process again.

You can't. It would be insecure.

Next time(even after disconnecting) they should directly start the communication using symmetric key over https.

You can't.

In short, I want SSL session to last forever.

You can't, and you don't want to. It would be insecure.

SSL is overhead in this case, isnt it?

Such questions are meaningless. Compared to what? You can't compare a secure solution to an insecure solution. If you don't want security, don't use SSL.

The question is: "How do I get that symmetric key, so that I can store that into database and use the same every time client connects?".

If all you need is a shared symmetric key just generate one on the client and send it to the other side over the SSL connection. There is really nothing to be gained by using the symmetric key generated by the SSL session.

What is the difference between using the symmetric key generated by SSL and one generated by you?

Also when using TLS 1.2 and perfect forward secrecy the symmetric key used is not the one generated by the client in the initial exchange but one generated using Ephemeral Diffie-Hellman (ECDHE-RSA, ECDHE-ECDSA).

You can not. The negotiated key should be private. For reference I send you the link to the apache environment variables. You will see that the symmetric key is not one of them

https://httpd.apache.org/docs/current/mod/mod_ssl.html

You can get the sessionID, but how to reuse the sessions must be left to the SSL / TLS protocol. It has automatic renegotiation options so you can reuse the session, even if the server has already discarded. The protocol will decide when you can or can not reuse.

See https://tools.ietf.org/html/rfc5746

链接地址: http://www.djcxy.com/p/21806.html

上一篇: 服务器安全连接握手

下一篇: 如何获得SSL握手中生成的对称密钥？