So i’ve never really understood how certificates/ssl really works. Dont get me wrong, i understand how it works to a certain extent. I public/private key, shared key, CAs, etc… So i thought it would be a good time to write something up. I’m going to start with the basics and get those out of the way first.

Terms:

Message: The data to be encoded.

Hash Function: Is a one way function that takes data and converts it to a fixed size bit string which is called a hash value, message digest, and a few other things. The slightest change to the message will completely change the hash value. The chances of 2 different messages creating the same hash value are extremely rare. Some algorithms used include MD4, MD5, SHA-0, SHA-1, SHA-256, and SHA-512.

Asymmetric key: A shared key is used to encrypt and decrypt the message

Symmetric keys: A public/private key is used to encrypt and decrypt the message. If a message is encrypted with the public key, the corresponding private key is used to decrypt the data, and vice versa. The public and private key are tied together and no other private/public key can decrypt the message. Normally the private key is kept private and the public key is given out to anyone who asks for it.

Digital Signature: Is a way to verify that a message has not been altered, and you know who the message is from. The sender runs the message through the hash function to create a hash value. Then the hash is encrypted using the private key. The message and the digital signature are combined and sent to the recipient. Now the recipient decrypts the digital signature and creates a hash of the message. If the 2 hashes are the same then we know the holder of the key pair sent the message and that it hasn’t been altered.

Digital Certificate: A document that uses a digital signature to bind a public key to a user/organization. It only binds the public key, as the private key is kept private so only that user can decrypt the data. The digital certificate can contain several pieces including name, address, etc… Digital Certificates are normally issued by a CA, or Certificate Authority.

Ok, so that was a little more than just basic terms :). But if you understand that you should be able to follow along.

When you visit a website over an SSL connection your browser requests the digital certificate, and the server happily sends it back as shown in the following screenshot.

Now that you have the digital certificate, we need to perform some checks. Using the digital signature we can confirm that the certificate was not alerted in transit. It also makes sure that it is still valid (certificates are only valid for a certain date range), and it has not been revoked. Most browsers include in their code the serial numbers of certificates that have been revoked, but they can also check the Certification Revocation List (CRL), which is not performed often.

So how do you really know that you can trust this certificate? I can create my own certificate and present it to you, i’m telling you that ‘you can trust me’. A trusted 3rd party, or Certificate Authority, issues certificates and validates that they who they say they are. These certificate authorities have a certificate installed on your browser, and when you run across a certificate issued by them your browser trusts that certificate (given that it’s not revoked and it is still valid).

This is just 1 example of digital certificates, there are many more, like in smart cards or in emails.