confusion on ssl certificates

968 views
0

I feel like I have a very flawed understanding on how ssl certificates work here so thought I would explain how I see it here so anyone can correct me.

As far as I understand, Bob has a certificate issued by the certificate authority and encrypted with his private key to prove to Alice that she is indeed receiving a message from Bob.

However, what is to stop Eve from getting Bob’s encrypted certificate and then when Alive wishes to talk to Bob (although Eve is playing man in the middle – so Is actually talking to Eve) she gets back a certificate that looks like it is from Bob (but actually from Eve) and as far as Alice is aware, is talking to Bob upon decrypting with the certificate public key

Am I missing something here? Or is my understanding of it totally wrong – thanks to any replies

In: Technology

Bob has a public key for his mail adress [email protected] – he’s giving that one out to everyone, to Alice, to Eve, whoever wants it, gets it. When Bob sends a message from [[email protected]](mailto:[email protected]), it’s using his private key. Only Bob has this one. He didn’t give it to anyone. When he sends his message to Alice, her email program looks if it has a public key for [[email protected]](mailto:[email protected]). If she does, she can read Bob’s message and gets the info that the keys fit. If she doesn’t, the mail gets rejected.

Since only Bob has his private key, Alice can’t pretend to be Bob.

Bob has a public key for his mail adress bob[a]bobinc.xd – he’s giving that one out to everyone, to Alice, to Eve, whoever wants it, gets it. When Bob sends a message from bob[a]bobinc.xd, it’s using his private key. Only Bob has this one. He didn’t give it to anyone. When he sends his message to Alice, her email program looks if it has a public key for bob[a]bobinc.xd. If she does, she can read Bob’s message and gets the info that the keys fit. If she doesn’t, the mail gets rejected.

Since only Bob has his private key, Alice can’t pretend to be Bob.

The Certificate Authority has it’s own key and uses that to wrap up Bob’s Cert.
That way Eve can’t get at Bob’s cert unless she somehow got the CA’s private key.

You actually said what stops Eve from impersonating Bob in your previous sentence, Bob’s certificate is encrypted with his private key. Eve only has Bob’s public certificate, her web server can’t decrypt it without the key.

Certificates contain the address of the site embedded within them, if you’re connected to a site and its certificate is not matching the address it immediately raises browser alarm.

And to change the address inside without invalidating certificate you have to know the private key for the certificate and then re-sign it at certificate authority.