You are developing a client/server-based application in which the client shall communicate with the server through a trusted channel. Which of the following is the best design of key exchange to encrypt data in transit? (Source: Wentz QOTD)
A. The client encrypts the preshared key using its private key
B. The client encrypts the premaster key using the server’s private key
C. The client encrypts the session key using the server’s public key
D. The client encrypts the master key using the server’s public key
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. The client encrypts the session key using the server’s public key.
The session key, generated by the master key, is used to encrypt data. The master key, in a fixed length, is produced by the premaster key, which is of variable length depending on the key exchange method.
The purpose of the master key is to generate session key(s) instead of encrypting data.
The Purpose of the Private Key
The purpose of the private key is to sign documents instead of encrypting documents. The secret key should be encrypted by the recipient’s public key.
- Master Key
- MicroNugget: What are SSL Session Keys?
- Encryption Basics | Public Key Encryption | SSL
- TLS, Pre-Master Secrets and Master Secrets
- Differences between the terms “pre-master secret”, “master secret”, “private key”, and “shared secret”?
- Master Secret
- TLS Security 5: Establishing a TLS Connection
- Transport Layer Security (TLS)
- TLS Handshake : Under The Hood
A. 客戶端通過其私鑰，加密預共享密鑰 (preshared)
B. 客戶端通過服務器的私鑰，加密預主密鑰 (premaster key)
C. 客戶端通過服務器的公鑰，加密會話密鑰 (session key)
D. 客戶端通過服務器的公鑰，加密主密鑰(master key)
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.