If a server proves its bona fides by presenting its public key, and its public key is public, what prevents a bad actor from getting the public key and pretending to be the original? Is the server’s public key tied to a particular IP address or domain so that the client should check that? Or is a third-party certificate required to prove the server’s bona fides? How about the client’s public key? What prevents a bad actor from pretending to be the owner of that public key?
In: Technology
The verification process does not consist of a simple comparison of the public key. There is a mathematical algorithm which allows someone with a private key to create a signature for some data and then someone with the public key can verify this signature. If you only have the public key you can not create the signature. During the connection handshake the client and server both sign some of the important parameters in the connection such as the encryption key they have decided to use. The other part is then able to verify that whomever they talk with is the one in possession of the private key that they have the public key for.
Latest Answers