This page looks best with JavaScript enabled

Public Key Certificate Pt. 1

 ·  ☕ 3 min read

Requirements

Let’s introduce a two important concepts. Given a couple of keys (public and private)

  • Only who has access to the private key can decrypt data encrypted with his relative public key.
  • A digital signature certifies and timestamps a document. A document signed with a private key can be verified with his relative public key. A digital signature is nothing more than a hash value (digest) of the original data encrypted with a private key.

While the first is more “obvious” the second is less intuitive

Simple example:

UserA wants to send a file named test.pdf to UserB and UserB wants to check if the file has been changed by someone during the transport.

UserA will first produce a hash of the file with sha256 and the he signs the result with his private key. This will return the signature of file test.pdf.

UserA will send the non ecrypted file with the signature to UserB, who on the other hand can verify the signature calculating the hash of the file and the using the public key of the UserA to verify the data.

UserA side (sender)


openssl dgst -sign private_key.pem \
    -keyform PEM -sha256 -out test.sign -binary test.pdf
openssl base64 -e -in test.sign -out test_base64.sign # optional

this will produce a file like this (test_base64.sign)

xRGC+E3FCY9wc7n7rw8lK0crJ06uZ7rbXqJ6dFkOyqBAihBARFt7TdWyskCz4je7
g+ewBm5FE3L0CRQ5WeD+kATD1YMpmmkKOt455I6u+Jr2gvidWSyKIyYQNvj7wckG
OiPM9nmdzEz3VKQvEAoS3uGI7asXkmZ2NbFNXNGDAtmVENpztn5gX7SgBhNrdnXd
RJWxyo6D4tn3m3fGWo/HsHnH4IET3PQ9Ozn8iZ18cfIOwghFNVg/X8lM2PAmdzng
iNGMU08p8cPrFy90EBSz763CChHtsxGjR/zseQWkgkn2jy8sHHDeNn+ftrwLBeG+
kVjpfSBrD2Ufy6tcnUf0zg==

UserB side (receiver)

openssl base64 -d -in test_base64.sign -out test.sign # optional
openssl dgst -verify  public_key.pem \
    -keyform PEM -sha256 -signature test.sign -binary test.pdf

With this two concepts in mind we can go deeper into certificates

What is a certificate?

According to wikipedia

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate’s contents (called the issuer).

X.509 is a standard that defines the format of a public key certificate. This format contains a public key and some information about the identity of the owner. A certificate can be signed (validated) either by a certification authority or by a non trusted authority (aka self-signed certificate)

A self-signed certificate can only provide secure communications but cannot prove the identity of the owner of the certificate.

How ssl/tls works

Here are the basic steps

  • The client requests a copy of the SSL certificate of the server, (remember it’s a signed public key).
  • The server sends a copy of its SSL certificate to the client, which contains its public key.
  • The client then verifies the authenticity of the certificate with a list of trusted CAs.
  • After the authenticity of the SSL certificate is verified, the client sends back a new generated session symmetric key encrypted with the public key of the server.
  • The server (it’s the only who can) decrypts the symmetric key with its private key.
  • The secured communication starts encrypted with the session key.

See Also

copyleft 2021, No Rights Reserved