Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question about PKI

Hello all. I am relatively new to the security arena and have a very nagging issue with understanding how certificates work. I have read several different books over the course of 10 years and I just get more frustrated every time I revisit this topic.

My question is can someone walk me through a home user visiting a secure website and what occurs with the CA and how encryption/decryption is achieved. To be more specific, please read my understanding below and my more specific questions.

Here is the best of my understanding - The clients web browser keeps a bunch of root CAs. (Trusted CAs). When the client requests a secure website, the website sends its digitally signed certificate with the CAs public key. The clients web browser uses the public key of one of the root CAs to verify this digitally signed certificate. Now the websites digital certicate has been verified. What happens next?

To give a further example - I visit https://www.bellsouth.com/ . It says the connection to this server is encrypted. I believe what happens is it sends me that web page over the Internet all garbled up (encrypted) and then when it arrives at my PC I see clear readable text. At what point does this web page get decrypted so that I, the client, can see the content of the the web page returned. Does this happen as soon as my web browser uses one of its trusted CAs public key to verify the servers digitally signed certificate? Does the client web browser require a private key to decrypt this web page and display it in clear text?

Thanks a million!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: question about PKI

You should think the master key as a key that is changed every time. It is an arbitrary key that is chosen by the client and used for the AES encryption by both units. It changes every time.

Please mark this as answered if it is or let us know if there are still concerns.

PK

6 REPLIES
Cisco Employee

Re: question about PKI

To answer your question

Here is the best of my understanding - The clients web browser keeps a bunch of root CAs. (Trusted CAs). When the client requests a secure website, the website sends its digitally signed certificate with the CAs public key. The clients web browser uses the public key of one of the root CAs to verify this digitally signed certificate. Now the websites digital certicate has been verified. What happens next?

The certificate has the public key of the party that has it and it is signed by the CA. When your browser uses the CA certificates that it trusts, it verifies that the certificate was indeed signed by the CA that it trusts. Thus, it assumes that the public key that it sees in the the certificate was indeed provided to the 3rd party by the CA, after the CA verified that the party is not a scam. In other word, the CA has already checked the 3rd party and found it ok, then it provided it a public and private key and you can believe all that because the CA that you trust has provided and signed the 3rd party cert.

So now, you have the public key of a 3rd party that you trust (since you also trust the CA). After you have the public key you use public key crypto to set up a shared key. And when you have the shared key you use it to encrypt all your communication with AES algorithm. I would suggest you to look into how SSL works. After the point of having public keys it is a matter of SSL using RSA and Diffie Hellman and AES.

I hope it helps.

PK

Cisco Employee

Re: question about PKI

Did it clarify how it works? Does it make sense?

PK

New Member

Re: question about PKI

The explanation that you gave is pretty much my understanding of things. I understand it to the point that the session gets encrypted using the negotiated public key. This still does not answer my question as to how the encrypted communication gets decrypted so that it can be visible to the requestor.

For instance, I request the page https://www.bbt.com. The web server returns a digitally signed certificate from a trusted CA. we negotiate public keys and our session is now encrypted.

Whenever the web server returns the encrypted data to me, how does it get decrypted so that I (the client) can see the displayed page. do I have some private key stored on my laptop or in my browser somewhere that decrypts it?

Cisco Employee

Re: question about PKI

I don't think it is clear how it works. Let me elaborate a little:

After the client has received and authenticated the cert of the bbt server it has the public key it can trust. Then it chooses a master key for the data exchange. It encrypts that key using the server's public key and sends it to the server. The algorithm to encrypt the master key/message is RSA. The server only can decrypt that message using its private key (no one else has that private key). so the server decrypts the encrypted master key. Thus now both the client and the server have the master shared key. That key is now used to encrypt all data/message exchanges between the 2 parties. The algorithm that is used to encrypt and decrypt the data using one shared key is AES. If you want more information how the algorithms work, I would suggest looking into RSA and AES algorithms themselves. RSA is a public key algorithm (uses different key for encryption and different for decryption) whereas AES is a shared key algorithm (uses same keys for encryption and decryption).

Does it make sense?

Let us know if it answers your question by marking it as answered for others to benefit in the future, if it does.

PK

New Member

Re: question about PKI

I really appreciate this response. This is as clear an explaination as I have ever had. I actually get it. One final question in reference to the following, ' Then it chooses a master key for the data exchange.' How is that accomplished? Through the browser? Is that 'master key' just a shared public key provided by the trusted CA that the browser uses for this communication.

I understand everything else, just trying to be very clear on how the master key is generated. Thanks!

Cisco Employee

Re: question about PKI

You should think the master key as a key that is changed every time. It is an arbitrary key that is chosen by the client and used for the AES encryption by both units. It changes every time.

Please mark this as answered if it is or let us know if there are still concerns.

PK

365
Views
0
Helpful
6
Replies
CreatePlease login to create content