Unlock Digital Signature Legitimacy for Acknowledgement of Resignation in Canada

How to eSign a document: digital signature legitimacy for Acknowledgement of Resignation in Canada

we frequently using it for viewing and sharing highly confidential and personal information online banking records medical reports credit scores among many other things when we access a website or communicate with someone over the Internet how can we be sure who we're communicating with and not someone or something more malicious we use protocols like TLS transport layer security to secure the connection between our browsers and the server but that secure connection only helps us if we know who are actually communicating with so how can we be sure who are actually communicating with across the Internet hi I'm Rob Witcher in today's episode we're going to talk about digital certificates and how they help us solve this problem by binding an owner to their public let's begin by understanding the problem the digital certificates address well look at an example here of Alice accessing her online banking in order to secure the communications between her browser and a server she'll use a protocol like TLS which will encrypt the data in motion between her browser and the server the first step in establishing a secure TLS session is Alice's browser sending a client hello message to the server the server replies with a server hello message and includes a copy of the server's asymmetric public key Alice's browser receives the server's public key and here's the cool part about TLS Alice's browser actually generates a symmetric session key that they use for encrypting the communication between the server but now we have the big problem of symmetric key distribution to solve this problem Alice's browser encrypts the symmetric key with the server's public key and thus the only system in the world that can decipher the symmetric session key is the server with its private key so Alice's browser sends the encrypted session key over to the server and the server decrypt with its private key the server now has a copy of the symmetric session key and it seems like no one could have gotten a copy of the symmetric key in transit and because both Alice's browser and the server have the same symmetric key on both sides they can now switch over to very fast very efficient symmetric cryptography this seems great but there's actually a huge problem here and it has to do with the server sending its public key to Alice public keys are never sent like this and to be clear this is not how protocols like TLS work let's understand why you never just send a public key like this here's the same diagram again and let's start from the beginning Alice's browser sends a client hello message the server replies with a server hello message and sends a copy of the server's public key but now we introduce our third actor the baddie performing a man-in-the-middle attack the baddie intercepts the server's public key and rather than forwarding on the server's public key Dallas the baddie forwards on the baddies public key not good Alice receives what she thinks is the server's public key but is in fact the baddies public key and as before her browser then proceeds to generate a symmetric session key and encrypted this session key with what her browser thinks as the server's public key but is in fact the body's public key and then Alice's browser sends that encrypted cipher text to the server predictably the baddie intercepts the encrypted symmetric session key and because it was encrypted with the baddies public key it is decrypted with the baddies private key so the baddie now has a copy of the symmetric session key not good at all further our body being the nefarious individual that they are proceeds to re-encrypt that symmetric session key with the server's public key and for that ciphertext on to the server the server decrypts the encrypted symmetric key with the server's private key and now the server has a copy of the symmetric key and alice has a copy of the symmetric key and they begin communicating back and forth using this symmetric key thinking this is a secure connection but it is not because who else has the symmetric key the baddie now just like the first time around Alice and the server both have the same symmetric key and begin communicating back and forth using fast and secure symmetric encryption the big difference here of course is that this encrypted session is not secure the baddie has a copy of the symmetric key with the symmetric key the body is able to easily decrypt read and even modify data before encrypting it and passing it on and neither Alice nor the server have any idea this is happening why don't they know the body is doing this the problem here resides with the exchange of public keys what is a public key at the most basic level a public key is just a string of numbers bits ones and zeroes there is no way to tell if someone's and zeros belongs to the server or to the body how then do we fix this problem the answer is digital certificates digital certificates bind and owner to their public key they allow us to verify who a public key belongs to to understand how let's look at the process we used to create a digital certificate will use Alice as an example she wants to obtain a digital certificate that anyone in the world would trust she begins by providing a little bit of information on herself including her name and a copy of her public key to a trusted certificate authority if she wants anyone in the world to trust her digital certificate then she needs to go to one of the big trusted CAS such as comodo Symantec GoDaddy global sign did you search any of these ones I always think GoDaddy is Big Daddy but that's an entirely different type of video so I'll submit some information on herself and a copy of her public key to a trusted CA the first thing the CA does is proof her identity and verify her info in other words if Alice says she is Alice the CA will confirm that she is in fact Alice we call this identity proofing and to go a step deeper the entity that does the identity proofing is often referred to as the registration authority ra once Alice's identity has been proofed the CA encrypts the information she provided along with her public key with the ca's private key and that's it oversimplified a digital certificate contains the name of the owner and a copy of their public key all of which is encrypted with the CAS private key so who can decrypt a digital certificate from one of the big trusted certificate authorities the answer is anyone with the CAS public key this is why if you want anyone in the world to trust your digital certificate you have to go to one of the big global trusted CAS because everyone in the world has a copy of the big public CAS he's installed on their systems how does everyone have the big ca's public keys installed on their systems well they come pre-installed with our browsers with our operating system so you can assume that everyone in the world has the big ca'se public keys by the way the standard by which we create digital certificates is known as x.509 I'll be making a video on x.509 and I'll link to that up here when when I get a chance to make it okay now that we understand what a digital certificate is and what they contain let's understand how they help us solve this man-in-the-middle problem that we've just discussed the crux of it is that we never ever send someone our public key instead we send them our digital certificate let's take a look the server needs to get its public key to Alice but rather than just sending its public key the server sends its digital certificate our body will as usual intercept the communication and now has a copy of the server's digital certificate the baddie can forward on its own digital certificate instead of the servers but let's look at what happens Alice receives the baddies digital certificate and the first thing she's going to do is decrypt with the ca'se public key what she finds inside the digital certificate is that it belongs to the baddie because remember digital certificates contain the name of the owner of that digital certificate Alice's browser was expecting a certificate from the bank's server so right away her browser knows that it shouldn't trust the public key contained within the digital certificate from the baddy her browser will report to Alice that this is an invalid certificate and her browser will not proceed with generating a symmetric key and encrypting with the body's public key the man in the middle attack has been solved because alice is able to verify the owner of a public key now you might be wondering about another crafty thing the body could drive the batter can intercept the server's digital certificate and the bad he can certainly decrypt it to get the server's public key because like everyone else in the world the baddie has a copy of the CAS public key the interesting question though is can the body remove the server's public key from the server's digital certificate and replace it with the body's own public key the answer is an emphatic no for the battery to be able to modify or to recreate this certificate the baddy would need to see A's private key and you can be darn sure the big trusted CAS do a very good job of protecting their private keys so there you have it digital certificates bind an owner to their public key allowing us to verify who were communicating with over the Internet thanks very much for watching I hope you found this episode informative if you liked this video you can hit the like button and if you want to be notified when we release future videos you can hit the subscribe and the bell icon let me know what you think in the comments down below and let me know what topics you want me to cover in the future Cheers you