Friday, May 10, 2019

ssl certificate and private key

In normal key-pair based PKI (public key infrastructure), there are private key and public key as a pair (Use one key to encrypt, and use the other key to decrypt). In a certificate-based system, there are private key and certificate.

Public-key cryptography is based on the concept of a key pair, which consists of a public key and a private key. Data that has been encrypted with a public key can be decrypted only with the corresponding private key. Conversely, data that has been encrypted with a private key can be decrypted only with the corresponding public key.

Certificate holds more information than the public key. The certificate is a wrapper for the public key, in addition, it contains additional information such as issuer, what the certificate is supposed to be used for, and other types of metadata. Certificate also contains signature to help verify the public key ownership.

Typically, a certificate is signed by a certificate authority (CA) using CA's private key. This verifies the authenticity of the certificate. Company A's public key signed with a valid CA's private key is called company A's certificate.

Servers are typically configured with certificates issued by well-known issuers called Certificate Authorities (CAs). Similar to a server, a CA has a certificate and a private key. When issuing a certificate for a server, the CA signs the server certificate using its private key. The client can then verify that the server has a certificate issued by a CA the client trusts. Client (like browsers) generally contains a list of well known CAs that it trusts.

In short, server has a certificate signed by trusted CA, The client only believes the server certificate if it is signed by a certificate authority it trusts. Because CAs are trusted, their own Public Keys used to verify the signatures of issued Digital Certificates are widely published. 

So practically, during ssl handshake, what happens is instead of sending its own public key, the client sends the symmetric key (session key) encrypted by the public key of the server. Server decrypts it with its private key and it gets to know the symmetric key. Now the further communication happens with this symmetric key encryption and decryption.

No comments:

Post a Comment