Home > other >  HTTPS client (browser) is how to check the legality of the public key certificate?
HTTPS client (browser) is how to check the legality of the public key certificate?

Time:10-03

Before the HTTPS communication, need to experience the handshake phase, described as follows:

As a first step, Alice protocol version number is given, a Client of the generated random Numbers (Client random), and the Client support encryption method,

The second step, Bob confirm that both sides use the encryption method, and a digital certificate is given, and a Server to generate a random number (random) Server,

The third step, Alice confirmation digital certificates, then generate a new random number (Premaster secret), and use the public key in the digital certificate, encrypt the random Numbers, sent to Bob,

The fourth step, using your private key, Bob get Alice from random number (namely Premaster secret),

Fifth, Alice and Bob by convention encryption method, using the above three random Numbers, generating "conversation key" (the session key), used to encrypt the whole process of dialogue,

Concrete nguyen other teacher blog article: http://www.ruanyifeng.com/blog/2014/09/illustration-ssl.html

My question is, if in the second step, I seized Bob to Alice's certificate, and then to Alice is my own digital certificate, but the certificate is issued by the authority, so, Alice in the third step, how to identify the digital certificate, not by Bob? In reality, a situation is, for example, my domain name hijacking, and then I put my certificate sent to Alice, and then steal her account password, etc.,
  • Related