I recently read about how HTTPS work and I have some questions to clarify. Pardon me if this sounds silly but I just need to get this clear. Correct me if I am wrong.
I got to know that as part of the beginning of TLS handshake there is a asymmetric encryption where public key from the Certificate is used to encrypt the client generated key before it is sent to the server and only server can decrypt it using its private key.
But subsequent messages (HTTP requests) use symmetric encryption with the client generated key and both client and server use this key to encrypt and decrypt application data.
There is a famous theory in cryptography saying "Repetition is not good" where if a single message is repeated in a encrypted message it is easy to crack it. If this is true all messages encrypted using client generated key will have HTTP/1.x in it as it is part of both HTTP request and response.
So in theoretically a Man in the middle with this knowledge can possibly find patterns in encrypted HTTP requests and responses and find out HTTP/1.x string in those and brute force to generate the client key which was used to encrypt these messages.
Am I correct or is this utter non sense, any answer or guiding would be highly appreciated.
Aucun commentaire:
Enregistrer un commentaire