CNS - 24 - Asymmetric Cryptography III

Let's suppose we are a bank and we want to associate our identity with a specific public key. The process of issuing a new certificate has to be done exclusively offline. It works as follow.

• The bank generates a new pair of private \((S_k)\) and public key \((P_k)\) using an asymmetric crypto system such as RSA.

• The bank stores locally the secret key, to keep it secret.

• A guy from the bank goes to the certificate authority (CA) and gives to the CA the identity of the bank and the public key of the bank. This has to be done offline, or in general using a secure channel.

• The bank generates a new certificate, which is signed using the private key of the certificate authority.

  \[\text{CERT} = (\text{BankName}, \text{BankP}_k)_{\text{CA_sign}}\]

• The bank then sends the certificate to the bank.

Notice that in this workflow there are at work two pairs of private/public key: the pair of the bank, and the pair of the CA.

Suppose now that we are a client of the bank, and we want to ensure that the bank has really the public key it claims to have. The process of verifying the validity of a certificate works as follows

• In the handshake process the bank sends the client the certificate previoulsy obtained by the CA.

• As long as the user trusts the certificate authority that signed the certificate, the user can check the validity of the certificate.

• If the CA signature is OK, then I'm sure that the bank really has that public key.

• Finally, the client asks the bank to prove the possesion of the private key of the bank \(S_k\) associated to the public key contained in the cert. This can be done in two ways, either by asking the bank to sign something fresh (to avoid replay attacks), or by asking the bank to decrypt something fresh.

In order to validate the CA signature I need the public key of the CA, which has to be preinstalled in the PC. Now, since we don't handle raw public key but always use certificate, the public key of the CA must be within a certificate. Ok but then, who signs the certificate that maps the public key of the CA to the CA itself? Well, since we can't introduce another party, for otherwise the loop would never end, the idea is to let the CA, and only the CA, self-sign his own certificate. That is, the certificate of the CA which maps the public key of the CA with the CA's identity is signed with the CA's own private key. These certificates are the so-called self-signed certificates. All the root authorities must self-sign their own certificates.

Indeed, in most browsers and applications there is a list of trusted CA, which are inserted during installation time.

Observation: To check the quality of an SSL site you can use the site https://www.ssllabs.com/.

The bank sends the CA, the client checks if the CA is valid and then sends a nonce to be signed by the bank. The bank, to prove that it has knowledge about the secret key, signs the nonce with the secret key. If the signature is validated using the public key in the CA then it means that the bank has the proper private key.

This time instead of sending a nonce in clear and asking the bank to sign it, the idea is to encrypt the nonce with the public key of the bank, and asking the bank to decrypt it. If the bank returns the correct nonce, then we know that the bank owns the private key.

In TLS when using RSA key transport upon receiving a valid certificate the client does not generate a new nonce, but it uses as a nonce the symmetric key that is later used for encrypting the channel. This key is sent encrypted using the bank's private key.

After sometime data will be exchanged encrypted with the symemtric key \(K\). This means that if the bank was not really the bank, the channel is still secure, because only those with knowledge of the private key associated to the public one included in the certificate is able to read the data. In this way server-side authentication is done implicitly.