If a server proves its bona fides by presenting its public key, and its public key is public, what prevents a bad actor from getting the public key and pretending to be the original? Is the server’s public key tied to a particular IP address or domain so that the client should check that? Or is a third-party certificate required to prove the server’s bona fides? How about the client’s public key? What prevents a bad actor from pretending to be the owner of that public key?
In: Technology
First, a bad actor can’t do anything with someone else’s public key. That public key encrypts things in a manner that only the server’s *private* key can decrypt. This means that when you encrypt something with somebody’s public key, you know that the holder of their private key, which is very protected, is the only one who can read it.
Second, in many implementations of public key cryptography, part of the data in the key is locked to a particular domain. The application knows that if you go to www.reddit.com, but they offer a public key for example.com to not trust it, since the domains do not match.
Latest Answers