Individuals and organizations often have a legitimate need to not only encrypt their communication but also to verify the identiy of the individuals they communicate or transacte with. This is generally done through cryptography. When two parties that have not communicated before want to establish an authenticated session, they need to exchange their Public Keys.
However, how can Alice ensure that Bob is the real requestor and the legitimate owner of the keys and not a hacker ?
In order to solve this issue, Diffie and Hellman pointed out in a seminal paper on Public Key Cryptography. the problem of authenticating that a Public Key belongs to a real entity (i.e. Bob and not the hacker).
In 1978, Kohnfelder proposed to have a trusted entity called the Certificate Authority(CA) for binding between a public key and its holder.
The CA establish a digital certificate also known as SSL/TLS certificate that binds a public key to some informations related to the entity that owns that public key. This enables any system to verify the entity-key binding of any presented certificate. This leads us to the following architecture :
Certificate Authority (CA)
A certificate authority is a trusted 3rd party entity that accomplishes three major tasks:
- Issues certificates.
- Confirms the identity of the certificate owner.
- Provides proof that the certificate is valid.
A certificate, or a digital certificate, is a set of data that can be used to verify entity’s identity over the internet. Certificates are issued by CAs and follow a specific format (X.509 internet standard).
The information contained in the certificate allows the client to validate the certificate and therefore the identity of the owner of the certificate.
The information contained in a certificate is :
- Owner’s information
- Owner’s public key
- CA information
- CA digital signature
How Does a Certificate Authority Work
The process for getting a certificate authority to issue a signed certificate goes like this:
- The client creates a private key and public key pair and submits a request known as certificate signing request (CSR) that contains the client’s public key and its information to a trusted certificate authority. The CSR will have then all the information about the client that will be shown on the resulting certificate if approved.
- The CA verifies whether the information on the CSR is true. If so, it issues and signs a certificate using its (the CA’s) private key then gives it to the client to use.
How can a Certificat Confirms the Identity of the Owner
Verifying certificates is the process in which an entity’s identity is validated.
Based on the Figure above (client-server authentification via CA). Let’s assume that the server have sent its certificate to the client. How can the client verifies the server’s identity ?
As i have explained before a certificate holds some information about the CA such as the CA name and a digital signature. These are the two fields that will be used to authenticate the certificate.
The CA name on the certificate will have to be a trusted CA and the digital signature must be valid.
The first step is finding out if the CA is a trusted CA. The CA name is taken from the certificate and compared to a list of trusted CA’s provided by the web browser. If the CA name is found to be a trusted CA, the client will then get the CA’s corresponding public key to use it in the next validation step.
The next step in the process is to validate the digital signature on the server’s certificate. The digital signature is a hash of the CA’ s public key
To validate the digital signature, the client hash the CA’s public key with the same hash algorithm used by the CA to get the digital signature.
If the two hashes match then the digital signature is valid and the certificate is authenticated. If the two hashes do not match then the certificate has been changed since it was issued and the certificate cannot be authenticated.
The final steps to validating the certificate are looking at the expiration date and seeing that the certificate is valid.
Once a certificate is authenticated the identity of the owner of the certificate will also be authenticated.