I am trying to better understand how TLS works. I understand in the normal use case you need various random values generated and used in the key exchange, to prevent some MITM reusing a previous transmission to spoof the server or the client.
However, let us assume some degenerate case where there is a single server whose single public key is already known by its clients as well as various adversaries. In this case, I would think all that is strictly speaking necessary to perform a secure key exchange would be the following:
- Client uses server's public RSA key to encrypt random symmetric session key
- Client sends server encrypted session key
- Server decrypts session key using server's private RSA key
- Server uses session key to encrypt a "finished" message
- Server sends client encrypted "finished" message
- Client uses session key to decrypt "finished" message
- Client verifies message is "finished", handshake is complete
So in this simplified process, the only value changing each session is the session key itself, so no previous client or server random is used; and there is no pre-master secret, again only the session key.
This feels like a drastic oversimplification of things, but I am having trouble seeing what I am missing. If the main purpose of a key exchange is to make sure the server is the only one getting the session key, this seems to be secure. Proof by contradition, tracking the above process again, but from the perspective of an adversary:
- Adversary already has the server's public key, could encrypt its own symmetric session key for MITM purposes
- Adversary can see encrypted session key from client, but cannot decrypt it; can send server its own encrypted MITM session key
- Server decrypts MITM session key, unaware of its origin
- Server uses MITM session key to encrypt "finished"
- Server sends client (in fact adversary) encrypted "finished"
- Adversary can decrypt "finished", but cannot re-encrypt and send to client with client's session key, which adversary cannot decrypt
- Client will ultimately never receive correctly encrypted "finished", either from server or adversary
So it seems the only potential weakness here is that the server has no way of knowing whether it is communicating with a legitimate client or an adversary - but as I understand it, authenticating the client was never in view to begin with. Authenticating the server is, but in this case that is not a concern since there is only a single server.
So am I correct in understanding that if one were to employ this scheme, it would be impossible for an adversary to perform a MITM attack? Or how could this be defeated?