security - How a client(web browser) use public key on CA certificate to authenticate digital signature on server certificate?

Question

Welcome To Ask or Share your Answers For Others

security - How a client(web browser) use public key on CA certificate to authenticate digital signature on server certificate?

posted Oct 7, 2021 in Technique[技术] by 深蓝 (71.8m points)

security - How a client(web browser) use public key on CA certificate to authenticate digital signature on server certificate?

While studying how https works, ssl handshake in https, following points were raised without getting complete answer. In the flow of https, how client upon receiving server certificate validates its authenticity using digital signature in server certificate and public key of CA certificate.

May anyone explain this in brief?

question from:https://stackoverflow.com/questions/65951529/how-a-clientweb-browser-use-public-key-on-ca-certificate-to-authenticate-digit

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-06T19:02:21+0000

In brief the idea of asymmetric cryptography is that you can encrypt with one key and decrypt with another key. The idea of digital signature is that you can encrypt with private key and decrypt with public key.

So when CA issues certificate for server it encodes some fields of certificate (described in specification):

   TBSCertificate  ::=  SEQUENCE  {
        version         [0]  EXPLICIT Version DEFAULT v1,
        serialNumber         CertificateSerialNumber,
        signature            AlgorithmIdentifier,
        issuer               Name,
        validity             Validity,
        subject              Name,
        subjectPublicKeyInfo SubjectPublicKeyInfo,
        issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                             -- If present, version MUST be v2 or v3
        subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                             -- If present, version MUST be v2 or v3
        extensions      [3]  EXPLICIT Extensions OPTIONAL
                             -- If present, version MUST be v3
        }

in DER format and then encrypts it with its private key using signatureAlgorithm. When browser receives server certificate it takes the same fields in DER format then it takes CA public key and decrypts the encrypted signature of certificate using signatureAlgorithm.

If they match, that means that the certificate was really signed by CA and it can be trusted.

Categories

security - How a client(web browser) use public key on CA certificate to authenticate digital signature on server certificate?

security - How a client(web browser) use public key on CA certificate to authenticate digital signature on server certificate?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags