DEV Community

Discussion on: Explain Certificates Like I'm Five

Collapse
nestedsoftware profile image
Nested Software • Edited on

Asymmetric cryptography (also known as public key cryptography) has this very interesting property: You can create a pair of keys, and if you encrypt a message with one of the keys, you can then quickly decrypt the message with the other key. If you don't have the other key, you can't decrypt the message. The important thing is that if you have access to only one of the keys, there isn't any easy way to figure out what the other key is.

In practice, you choose one of the keys to be your "public" key. That means that you can publish it online and anyone can see it. You choose the other key to be your "private" key. You have to keep that one as safe as possible so that you're the only one with access to it. As far as I know there is no inherent difference between the two keys that are used. You just arbitrarily pick one to be the private key (or your encryption software does it for you).

If someone wants to send you a private message, they can use your public key to encrypt the message. That means only someone with the private key (hopefully that's only you) can decrypt the message to read it.

You can also encrypt a message with your private key and send it to someone else. That means they can decrypt the message with your public key. Since the public key is available to everyone, that means anybody can read your message. So how is this useful then? It's useful because if they can decrypt the message using your public key, they know for sure that your private key was used to encrypt it. In other words, they know that you (or someone with access to that private key at least) was the one who sent the message. Encrypting a message with the private key so that it can be decrypted with the public key is called "signing" a message.

Let's say I sign a message with my private key and send it to you. By decrypting the message with my public key, you know that my private key was used to generate the message. However, how do you know that the public key really belongs to me? Maybe someone just created a public key and published it to an online registry under my name so that they could impersonate me!

That's where certificates come in. Basically I can go to some organization, known as a certificate authority, and ask them to use their private key to sign my public key. Usually I would have to offer some evidence that I am who I say I am first (the amount of evidence needed can vary in practice). Once they are convinced that I am really me, they then sign my public key.

That’s what a certificate is: A certificate is someone's public key, let's say Janet's public key, along with some additional information such as name, address, organization, etc., that has been encrypted using the private key of a certificate authority. That means you can use the certificate authority's public key to decrypt the certificate. Doing so insures that the information contained therein was confirmed to be valid by the certificate authority and that no one has modified it -- if someone tried to tamper with the certificate, it would no longer be possible to decrypt it with the certificate authority's public key.

Now, when you get a signed message from Janet, you can verify that the public key needed to decrypt it was signed by a given authority. That gives you additional confidence that it's a message from the real Janet. Of course, now a new question may arise: How do you know that a given certificate authority is legitimate? It turns out there is a chain of authorities where the public key of each one is verified by one higher up above it. At the very top there is a "root certificate authority" that everyone has agreed to trust. As an example, the US federal government acts as a root authority for some public keys.

Collapse
pinwheeler profile image
Anthony Dreessen Author

when you say "signed by" does that mean "encrypted with the private key corresponding to the known public key for that entity"?

Collapse
nestedsoftware profile image
Nested Software • Edited on

Yes, I believe so. From en.wikipedia.org/wiki/Public_key_c...

Signature: A signature of the certificate body by the issuer's private key.