In Https connection asymmetric encryption (with Server certificate) is used during handshake and to create symmetric keys. Am I right that in this case client certificate does no encryption? The server just checks that it trusts that client certificate and that's all?
Asked
Active
Viewed 1,633 times
1 Answers
3
The operation performed is similar to server authentication with the following differences.
After sending the message ServerKeyExchange, the server indicates to the client that it wishes to authenticate the client via a CertificateRequest message; the client then sends its certificate. The TLS handshake operation is performed normally but after sending the ClientKeyExchange message, the client sends a CertificateVerify message that contains a signature of the previous handshake messages. Server and client then compute a value from the random numbers exchanged and the PreMasterSecret and the client then sends a ChangeCipherSpec and the operation continues as without client authentication.
As you can see the server checks if the client has possession if the private key; not just that it trusts the client cert.
MemCtrl
- 124
- 5