What is Digital certificate

Before we come to SSL handshake, I want to discuss certificate first.

Certificate : In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key.

Let’s try to understand this definition by how we generate a certificate and how it is able to prove ownership of public key :

1. On server side , we generate private key and public key. Private key always reside on server and we share public key with few more details(CSR) with CA(Certificate Authority).
2. CA put encrypted hash value of public key (We generally call them digital signatures) on certificate. Most important thing here to note is that the hash value is encrypted with private key of CA.
3. On client side , browser has public certificate of all known CA’s and when server sends public key in one of the step of SSL handshake, it is matched with the decrypted hash value of public key on certificate(Hash value is decrypted by public keys of roots CA’s which are there in browsers and hashed value is matched with the value of public key sent by server)

So, now by matching public key, certificate is able to prove the ownership of public key.

We have understood digital signature and certificate definition, now we can try to understand , how ssl/tls works.

How TLS works : Public key cryptography(Asymmetric Cryptography) is used for key-exchange and authentication and actual data transfer takes place by symmetric key cryptography.

1. The ‘client hello’ message: The client initiates the handshake by sending a “hello” message to the server. The message will include which TLS version the client supports, the cipher suites supported, and a string of random bytes known as the “client random.”
2. The ‘server hello’ message: In reply to the client hello message, the server sends a message containing the server’s public key, the server’s chosen cipher suite, and the “server random,” another random string of bytes that’s generated by the server.
3. Authentication: The client verifies the server’s public key with the certificate authority that issued it. This confirms that the server is who it says it is, and that the client is interacting with the actual owner of the domain.[This step is explained in certificate definition above]
4. The premaster secret: The client sends one more random string of bytes, the “premaster secret.” The premaster secret is encrypted with the public key and can only be decrypted with the private key by the server. (The client gets the public key from the server’s SSL certificate.)
5. Private key used: The server decrypts the premaster secret.
6. Session keys created: Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results.
7. Client is ready: The client sends a “finished” message that is encrypted with a session key.
8. Server is ready: The server sends a “finished” message encrypted with a session key.
9. Secure symmetric encryption achieved: The handshake is completed, and communication continues using the session keys.

Thanks !

Reference : 1 ) https://en.wikipedia.org/wiki/Public_key_certificate

2 ) https://www.cloudflare.com/en-gb/learning/ssl/what-happens-in-a-tls-handshake/