One of the limitations of asymmetric encryption is that when used on its own, it is vulnerable to a man-in-the-middle attack. It is possible for an attacker to intercept the asymmetric handshake process and fool the sender and receiver into thinking they are sending secure messages. This is because although asymmetric encryption ensures secure transfer of data between two parties it does not itself ensure authentication of the identity of the parties involved. In order to ensure authentication asymmetric encryption needs to be used in conjunction with a digital certificate issued by a trustworthy certificate authority.
When an entity (such as a website) wants to apply for a digital certificate they send their public key, along with other details, to the certificate authority(CA). The CA then sends a signed copy of the digital certificate back to the entity.
Certificate verification process (for a website)
Step 1 – Certificate Requested
The user’s browser sends a message to the website server, requesting the digital certificate.
Step 2 – Certificate Sent
The website sends a copy of the digital certificate to the user.
Step 3 – Certificate Authenticated
The user’s browser verifies the validity of the certificate using the public key of the CA. Most web browsers have a preinstall cache of the public keys of trusted Certificate Authorities. The public key stored on the browser is used to verify the hash digest of the certificate.
Step 4 – Communication Begins
The user’s browser uses the public key provided within the authenticated certificate to perform asymmetric encryption on the symmetric shared key and sends the encrypted symmetric key to the website. Since only the website know the corresponding private key, only the legitimate website can decrypt the encrypted symmetric key and therefore communication can be considered secure and authenticated.
Contents of a Digital Certificate
- Name of the Owner – A unique identifier for that particular owner
- Public Key of the owner
- Issue Date of the certificate
- Expiry Date
- The Name of the Certificate Authority
- Digital Certificate of the Certificate Authority (This is a hash of the above items, generated using the CA’s private key.
Digital Certificates Video
SSL Certificates Video