Skip to content
Learnearn.uk » IB Computer Science » Digital Certificates

Digital Certificates

Digital Certificates

Digital Certificates

One of the limitations of asymmetric encryption is that when used on its own, it is vulnerable to a man-in-the-middle attack. It is possible for an attacker to intercept the asymmetric handshake process and fool the sender and receiver into thinking they are sending secure messages. This is because although asymmetric encryption ensures secure transfer of data between two parties it does not itself ensure authentication of the identity of the parties involved. In order to ensure authentication asymmetric encryption needs to be used in conjunction with a digital certificate issued by a trustworthy certificate authority.

When an entity (such as a website) wants to apply for a digital certificate they send their public key, along with other details, to the certificate authority(CA). The CA then sends a signed copy of the digital certificate back to the entity.

Verification

Certificate verification process (for a website)

Step 1 – Certificate Requested

The user’s browser sends a message to the website server, requesting the digital certificate.

Step 2 – Certificate Sent

The website sends a copy of the digital certificate to the user.

Step 3 – Certificate Authenticated

The user’s browser verifies the validity of the certificate using the public key of the CA. Most web browsers have a preinstall cache of the public keys of trusted Certificate Authorities. The public key stored on the browser is used to verify the hash digest of the certificate.

Step 4 – Communication Begins

The user’s browser uses the public key provided within the authenticated certificate to perform asymmetric encryption on the symmetric shared key and sends the encrypted symmetric key to the website. Since only the website know the corresponding private key, only the legitimate website can decrypt the encrypted symmetric key and therefore  communication can be considered secure and authenticated.

Contents of a Digital Certificate

  • Name of the Owner – A unique identifier for that particular owner
  • Public Key of the owner
  • Issue Date of the certificate
  • Expiry Date
  • The Name of the Certificate Authority
  • Digital Certificate of the Certificate Authority (This is a hash of the above items, generated using the CA’s private key.

 

 

Digital Certificates Video

SSL Certificates Video

Keys

Public & Private Keys

Public and private keys are core components of asymmetric cryptography, also known as public-key cryptography. The public and private keys are mathematically related in such a way that data encrypted with one key can only be decrypted with the other key.

The public key is intended to be shared openly and is often associated with an individual or entity. Anyone can use the public key to encrypt data or verify digital signatures, but it cannot be used to decrypt data.

The private key is used for decrypting data that has been encrypted with the corresponding public key and for creating digital signatures.. It must be kept secret and should never be shared with anyone.

Key Exchange

Key Exchange

When a website and client establish a connection they each send their public key to the other and all subsequent data is encrypted using the recipients public key before sending. This means that only the intended recipient can decrypt the message.

Source: Wikipedia

CAs

Certificate Authorities.

Certificate Authorities (CAs) are trusted organisations who are responsible for issuing, managing, and verifying the digital certificates that websites use to prove who they are. They are used to ensure that your browser has connected to the website you think you have connected to and you have been the victim of DNS hijacking.

Websites are issued digital certificates by CAs and the certificate is encrypted using the private key of the CA. When a website communicates with a client it sends this certificate and the browser uses the public key it has been given directly by the CA to decrypt the digital certificate, verifying that the website is legitimate.

Source: Wikipedia

Diffie-Hellman

Diffie-Hellman

One of the disadvantages of asymmetric encryption is that it is computationally expensive, making it too inefficient for high speed data transmission, such as video streaming.

Once a client and server has established a connection they switch more efficient symmetric encryption using the Diffie-Hellman key-exchange technique of combining public-private key pairs in order produce a shared secret which can be used to encrypt data.

Source:Wikipedia

Signatures

Digital Signatures

 

 

 

Resources