If a server proves its bona fides by presenting its public key, and its public key is public, what prevents a bad actor from getting the public key and pretending to be the original? Is the server’s public key tied to a particular IP address or domain so that the client should check that? Or is a third-party certificate required to prove the server’s bona fides? How about the client’s public key? What prevents a bad actor from pretending to be the owner of that public key?
In: Technology
The whole point of public/private key pairs is that either one can encrypt messages that then require the other to decrypt.
This means you can prove you know the private key by either reading and responding correctly to challenges encrypted with the public key, or by sending challenge responses encrypted with the private key that decrypt correctly when the challenger uses the public key to decrypt them.
Using this kind of challenge, the parties can make sure they are talking to someone who knows the private key corresponding to the public key they have on file. Certificates are useful for making sure that the people you think you’re talking to actually published that public key.
Latest Answers