Score:0

Authentication of certificates

in flag

In order to provide authenticity of a sent message, we use certificates as fingerprints. But how do I know that the certificate is not stolen by someone? If the certificates are made public, why cant an attacker just take someones public certificate and identify himself as someone else?

kelalaka avatar
in flag
You need to read some books or take lecture on public-key cryptography. The Root Certificate key are generally physically distributed , however, we have some examples [historical](https://en.wikipedia.org/wiki/Root_certificate) and [supply chain attack is the new method](https://threatpost.com/mimecast-certificate-microsoft-supply-chain-attack/162965/). So, you don't know until they tell you. You can only look on the certicate chain for validation.
Score:2
ru flag

A digital signature makes use of two keys a private key that can be used for producing signatures and a public key that can be used for verification of signatures. The certificate contains information that ties the identity of the signer to the public (verification) key but does not allow anyone to deduce the private (signing) key.

Anyone can present a certificate claiming to be the true signer, but only the true signer should be able to produce signatures that verify correctly.

If someone is able to steal the private (signing) key, they could indeed forge messages. For this reason the private keys should be stored privately and securely rather than broadcast in the way that the public certificates are.

in flag
so what do we need certificates for, if we can create signatures with our private keys and let others check them with the public key we provide? doesnt the signature give the same level of authenticity as a certificate?
Daniel S avatar
ru flag
Without a certificate all you know is that the signature was made by the same person who made other signatures. The certificate ties the public key to a particular identity. With the certificate you are assured that the signer is amazon.com or Fred Jones.
in flag
and how do I create a certificate? is it also created using private and public keys?
Daniel S avatar
ru flag
You apply to a [certificate authority](https://en.wikipedia.org/wiki/Certificate_authority) whose identity is tied to a public key distributed with your web browser/operating system. They will hopefully conduct a rigorous check that you are who you claim to be and then sign your public key to make a certificate.
in flag
thats for the case of a public server, how do I create my own certificate as a client? Can I change it somehow?
SAI Peregrinus avatar
si flag
TLS client authentication (with client certificates) is most commonly used for "smart" devices that connect back to a manufacturer, so the manufacturer controls the client (the device) and the server and runs a custom Certificate Authority both trust.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.