
Title:
Signature Validation  Applied Cryptography

Description:

In order to trust the certificate, the client needs to validate that signature.

To do that it needs to know the corresponding public key.

It needs to know that public key that can be used to decrypt this message.

If it decrypts it, it can check that this hash value is the same as what it computes

when it hashes the certificate content itself.

That is the real problem that public key infrastructure needs to solve.

We need ways of distributing these public keys.

That's called public key infrastructure, also known as PKI.

We need a way to securely know the public key of the issuer.

Once we know that we can use the certificate to learn the public key of the website we visited.

How do we know that public key?

Let's look back at the certificate that we got from Google.

What we see at the top of it is the certificate hierarchy.

We see that we have the google.com certificate, and that's the one we looked at

and saw that it had this public key.

That was signed by an issuer, and that issuer was Thawte, and we can click on that.

Now we can see the certificate from Thawte that was used to sign this certificate.

We have this certificate from Thawte. It was issued by VeriSign.

We can check that it's valid. It's valid until 2014.

That certificate also has a public key.

It's got a subject identifying Thawte Consulting that generated the key.

It's got a public key. It's also got an RSA key with PKCS.

We can see that public key.

That's the public key that we can use to validate the certificate that RSA provided.

We can use that to decrypt the signed hash to validate that certificate.

This would only be useful if we knew that we could trust this public key.

How do we trust this public key?

Well, it's got a certificate.

It's certificate was issued by VeriSign.

We can find VeriSign's public key to verify this one.

That's the top of the certificate hierarchy here.

We have a certificate from VeriSign, and if we look at that one

well, it came from VeriSign, and it's got a public key, also an RSA key and this one.

You'll notice that all of them use 65,537 as their exponent.

The moduli are all different.

If they weren't different, that would mean they were all using the same public key,

which would be a pretty serious problem.

If we look at this key, we can see that it's expiration date is all the way up to 2028.

It goes back to 1996. This is a very longlived key.

This is the key that is the root of our certificate hierarchy.

Here's what we have. We have a certificate that was sent by Google.

It was signed using a private key owned by Thawte Consulting.

To validate that we need the corresponding public key, which we get from a certificate

that was signed by VeriSign.

To verify that, we need the public key for VeriSign.

We have that from a certificate, which says it's VeriSign's.

How can we trust VeriSign's certificate

or do we have to keep going on forever?