While surfing the web through a browser, when does the server send the public key to the client? or is it the other way around?
I was reading a response to a questions earlier and wanted to comment but due to my lack in reputation, I couldn't.
I hope this can answer your question:
When visiting a website using 'https' or 'http over tls/ssl',
the key exchange works something like this:\
- The Client sends a "Client Hello" to the server.
- The server generates both the public and private key.
- The Server answers with "Server Hello" and sends the public key to the Client.
- The Client encrypts a so-called pre-master secret with this public key and sends it to the server.
- The Server can then decrypt this pre-master secret with his private key
- Both the Server and the Client calculate a master secret from the pre-master secret.
- Both the Server and the Client calculate the session key (for a symmetric encryption) from this secret.
Now the Client and Server can communicate with this session key.
Reference: