Securing Communication: Part 2 - Digital Certificates
In the previous article - Securing Communication: Part 1, we explored symmetric and asymmetric encryption, HTTPS, and the SSL/TLS handshake process. We identified a critical issue in the initial step of the SSL/TLS handshake (illustrated in the diagram below): when the client sends the "Client Hello" message in the step 1, there is a vulnerability where a malicious server could intercept this message and respond with its own public key instead of the legitimate server's key.
In this article, we will discuss how to avoid this risk using digital certificates.
To generate a digital certificate, the server sends a CSR (Certificate Signing Request) to the Certificate Authority (CA), including all relevant organization's details and public key.
The Certificate Authority, a universally trusted entity, thoroughly validates the Certificate Signing Request to ensure the legitimacy of the organization. Upon successful validation, the CA creates a digital certificate by digitally signing the CSR with its private key. This digital certificate is then returned to the server.
So, during the initial step of the SSL/TLS handshake, when the client requests the server's public key, the server responds by sharing its digital certificate, which it obtained from the Certificate Authority (CA).
All browsers and servers come with a set of pre-installed public keys for trusted Certificate Authorities. Using the CA's public key, the browser can decrypt the server's digital certificate and safely retrieve the server's public key. This process ensures that the public key received by the client is from the intended server and not from any malicious parties.
Thus, the digital certificate, combined with SSL/TLS handshake, prevents the man-in-the-middle attacks and ensures secure communication.
In the previous article Securing Communication: Part 1, we have also discussed two important properties of asymmetric encryption. We can see how it is used in the HTTPS process.
Identity of the sender property of the public-private key pair helps in digital certificate validation process. After the Certificate Authority (CA) creates a digital certificate by signing the CSR with its private key, the certificate can only be decrypted using the CA's corresponding public key. This ensures that the digital certificate is signed exclusively by the CA and not by any unauthorized servers.
Only the intended recipient has access property of the public-private key pair, helps in transporting the session key securely. When the session key is encrypted with the server's public key, it ensures that only the server, possessing the corresponding private key, can decrypt and access the session key. This prevents unauthorized parties from intercepting and deciphering the session key.