I was reading this post about how SSL certificates are verified -- How are ssl certificates verified? . I had a question about the process the browser uses to verify the web server certificate was indeed signed by a trusted authority. If all the browser has is the public keys of the trusted authorities, but the web server certificate was signed using the trusted authority's private key, what operation is the browser doing to verifiy everything? Is it decrypting something using the CA's public key?
Asked
Active
Viewed 50 times
1 Answers
0
What you are asking about is exactly the benefit that is offered by asymmetric cryptography, which is a very interesting and useful tool. It's something that definitely bears reading up on: https://searchsecurity.techtarget.com/definition/asymmetric-cryptography.
Dan Forbes
- 2,734
- 3
- 30
- 60
-
I could be wrong but I don't think that's correct. Asymmetric cryptography is used when the session key has been generated to encrypt HTTP traffic, but this step occurs after what I am asking about. – Dave May 09 '19 at 21:34
-
If the browser is able to decrypt the certificate using the public key of a trusted authority, then it can assume that the certificate was encrypted (signed) by said trusted authority (since the only way the public key can be used to decrypt something is if it had previously been encrypted using the associated public key). – Dan Forbes May 09 '19 at 22:03
-
Ah that makes sense. Thanks! – Dave May 10 '19 at 01:07