TLS, certificates and digital signatures
TLS, certificates and signatures
- When you see the padlock on
https://, three things are working together. - TLS secures the connection; a certificate proves identity; a digital signature proves authenticity.
- Together they stop eavesdroppers and man-in-the-middle attacks.
TLS
- TLS (Transport Layer Security, the successor to SSL) is a protocol that gives encryption, authentication and integrity for data in transit.
- Handshake outline: the client proposes ciphers → the server sends its digital certificate (with its public key) → the client checks it → they exchange a fresh session key → all later traffic uses fast symmetric encryption.
- Use it wherever sensitive data is sent: HTTPS, online banking, secure email, VPNs.
TLS provides which combination of protections for data in transit?
TLS encrypts the traffic, authenticates the server (via a certificate) and detects tampering (integrity).
Digital certificates
- A digital certificate binds an identity (a domain/organisation) to a public key, and is signed by a trusted Certificate Authority (CA).
- It contains the subject, the subject's public key, the issuer (CA), a validity period, and the CA's signature.
- To verify it, the client checks the dates, that the name matches the URL, and that it is signed by a trusted CA (following the chain to a trusted root). If anything fails → the "connection is not private" warning.
A digital certificate binds:
The CA vouches that this public key really belongs to this identity, by signing the certificate.
When verifying a certificate, the client checks that it is:
The browser checks validity dates, that the subject name matches the site, and the CA signature up to a trusted root.
Digital signatures
- A digital signature proves who signed a message and that it wasn't changed.
- To sign: hash the message, then encrypt the hash with the sender's private key — that is the signature.
- To verify: hash the received message, decrypt the signature with the sender's public key, and compare. A match proves authenticity and integrity.
- A signature does not hide the message — for confidentiality too, encrypt and sign.
To create a digital signature, the sender:
Signing = hash the message, then encrypt the digest with the private key; the receiver verifies with the public key.
A digital signature on its own provides:
It proves who signed and that nothing changed, but does not hide the message — to also keep it secret, encrypt as well.
You've got it
- TLS = encryption + authentication + integrity for data in transit (HTTPS)
- a certificate binds an identity to a public key, signed by a trusted CA
- a digital signature = hash the message, encrypt the hash with the private key; verify with the public key
- signatures give authenticity + integrity (not confidentiality) — encrypt and sign for both