0

Assuming a situation in which Alice wants to send Bob an encrypted message by using a PKE, as far as I know, digital certificates allow both Alice and Bob to be sure that the public key they have is the one which actually correspond to the other one and it's not faked.

(If I'm wrong, please let me know)

But my question is: what is the step-by-step process for assuring that the public key contained in the certificate is the real one and it has not been modified?

Franzech Domâs
  • 975
  • 1
  • 8
  • 10
  • 1
    For a very detailed example of an X.509 (SSL/TLS) cert, see http://security.stackexchange.com/questions/127095/manually-walking-through-the-signature-validation-of-a-certificate . – dave_thompson_085 Jul 04 '16 at 20:02

1 Answers1

2

The certificate is digitally signed by a 3rd party, e.g. a CA (certificate authority). This signature can be verified using the public key of the CA.

If the attacker modifies the public key, the signature won't match any longer.

If the attacker also finds a way to modify the public key of the CA, then you lost I'd say.

Thomas Weller
  • 3,246
  • 3
  • 21
  • 39