In my Java project I’m trying to create a 100% secure method of communication between the method and the client. I used to use this process:
Client: generates 4096-bit RSA keypair Client: sends public to server Client: generates 256-bit AES key Client: encrypts AES key using RSA and send Server: decrypts AES key from RSA Server & Client now communicate using AES only
But I found out this isn’t safe as it can easily be ruined by a man-in-the-middle attack. I began researching TLS and found out about security certificates. My question is this: if the client generates the RSA keypair, signs it using the certificate, and sends it to the server, what stops a MITM from doing the same thing (assuming the certificate is publicly available, which I assume it would be because the server and the client would both need it).
When I use OpenSSL to generate a certificate it always provides an RSA key alongside it. Isn’t it safer to generate a new keypair for each connection, or do I actually use this particular key? What am I missing about the standard pattern for TLS?