All geek questions in one place

How do digital certificates verify the identity of the device?

I understand how the relationship between certificates of the issuer and the subject allows you to verify the authenticity of the subject. If I connect to a network device and it sends me its certificate to identify itself, then I can verify that it was issued by a trusted party and that it was not tampered with in any way. However, suppose I just upload this certificate to another device. Then what prevents me from identifying myself with the copied certificate with this device?

+4
source share
4 answers

Nothing prevents you from doing this. I see that all the time at work. The only thing that prevents someone from taking your certificate and installing it somewhere is the password associated with the certificate. Therefore, you do not know that the device is the one who says that this is true, but you know that the one who knew the password for the certificate was able to install it on the device. User and password authentication has its pros and cons, as well as certificates.

+2
source

In my opinion, this is a common misunderstanding of certificates, partly due to various marketing departments. A certificate of any type does not guarantee that the device at the other end of the communication line is what you think.

All the certificate can really do is provide a public key / private key mechanism to protect the information that you transfer between the two devices. This prevents third parties from sniffing data when they cross, possibly hundreds of devices between them.

He cannot guarantee that the device is on the other end or to whom it belongs. Some certificate issuers will try to verify who holds the certificate before issuing the certificate. However, even this process is erroneous and is very easily undermined.

+2
source

In order for the client device to authenticate, say, on a remote server, the client must have a private key associated with the certificate, and not just the certificate.

In client-side authentication, for example, the client signs (encrypts) the call with its private key. This private key corresponds to the public key in its certificate. Unlike the public key of a certificate, the client must protect its private key.

The server then uses the public key in the client certificate to verify the client signature.

However, the server should rely only on the public key in the certificate to verify the client’s signature, if it trusts the issuing CA, the certificate is still in its valid period and has not been revoked.

+1
source

The device may try to pretend that it is the device identified by the certificate. However, this will not be useful if the data transmitted to him is encrypted using the public key provided in the certificate, since the wrong device will not have a private key.

The best that can be achieved is a denial of service attack, discarding messages sent to it.

+1
source

Source: https://habr.com/ru/post/1307819/

More articles:


All Articles