Join Sean Colins for an in-depth discussion in this video How a signature identifies you, part of Understanding Secure Sockets Layer.
- We've talked a lot about certificates, but certificates really only do part of the job. We also have to worry about signatures, and we don't really understand yet how a signature identifies you as being you, or how a signature actually identifies the authenticity of the certificate. So, let's talk about that here. So, a certificate provides information about identity, right? It gives you the fully qualified domain name of the server that it represents. It gives you the issuer information, et cetera. It even gives you an expiration date, but it doesn't give you any kind of authenticity.
It doesn't say anything that would prove that it is who it says it is. So, we need to do something to provide that authenticity, and that's where our signatures come in to play, right? Because authenticity is verified with a signature. So, a signature is created using the private key and an algorithm to calculate the encrypted version of a message from that server, okay? So, it's the server's private key and a message being put together to create an encrypted version of that message. So, that encrypted version of the message is then sent, along with the original message, to a recipient, as proof that the sender has the private key.
How does that prove it? Well, here, because only the private key is able to be used to calculate the encryption of the message, and only the public key that's mathematically paired with the private key can decode or decrypt that message. The decoded message will always match the clear text message if, and only if, the sender has the private key. Now, all of this is accomplished using a type of algorithm, and there are many types of algorithms out there. The RSA algorithm is the most common.
It is a standard for encryption, and keys are great, right, but the calculation of the encryption, that happens in the algorithm. So all of this calculation happens through an algorithm, right? You need an algorithm in order to do the calculation, and the key is associated with the algorithm, in that the key is passed through the algorithm with the data, and because all of this is part of this equation that's used, you end up on the other end with calculated encrypted data, and that's what gets passed over.
Now, concept. But because the numbers that we are using in these calculations are so large, we need to do something in order to restrict the size of those data sets that are being transferred around in these encrypted calculations, and in order to do that, rather than actually send the encrypted version of the message, we apply what's called a hash to the message before it gets encrypted, and that hash is a small fixed-length version, and calculated version of the original message, and then that hash is encrypted.
And then, what actually gets sent, in fact, in a real system is the hash gets sent in the clear, and the encrypted version of the hash gets sent, and then those get decrypted, and if those two match, the client knows that ownership was there. So, that's an added layer of complexity. You could do all of this without applying a hash, but the numbers would be very very big. So, in all practicality, that wouldn't work out so well in the real world. Anyway, when the hash is employed, the hash is confirmed on the client end, instead of the actual message. That's what you need to take away from there, all right? So, as you can see now, it is the certificate that contains information about who you are, and when I say who you are, of course, I'm talking about your domain name, your server.
It's identifying that entity, and it's telling the client information about the entity, right? And it even includes things like the public key, so that it can use that information in order to decrypt stuff that was encrypted using the private key, and all that's great, but you could replace that with a hacker's version of that, and that wouldn't be very good, right? So, it's the signature on the certificate, and in the case of signatures that are tied to trusted root certificates that are already installed on the client's system, it's that chain of trust that you're still dealing with, right? Those signatures that are calculated are what are actually validating the authenticity of the claim that you are who you say you are.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.