How public and private key authorization works in websites — Simple Guide
Digital access and online purchases are common worldwide. Billions of online transactions happen every day. Those transactions should be secure, and there should be no interruptions between them. To protect these transactions, several security measures are implemented between the server and the end user. Now, we will have to look at how it is end-to-end protected.
To give you a better understanding, I have taken an example
Ex:- Online purchasing on Amazon
Key Pair Generation
A public key and a private key are the cryptographic keys that are generated by Amazon (or any other entity configuring an HTTPS site). RSA (Rivest–Shamir–Adleman) and ECDSA (Elliptic Curve Digital Signature Algorithm) are two common algorithms used for this.
Request for Certificate Signing (CSR)
A Certificate Signing Request (CSR) containing information about the website (such as the domain name and organization information) also includes the public key. After that, the CSR is sent to the Certificate Authority (CA)
Role of the Certificate Authority
To confirm the request’s authenticity, the CA checks the information included in the CSR and calculates a hash of the public key, which serves as the public key’s unique fingerprint.
Digital Signature
A digital signature is generated when the CA uses its private key to encrypt the hash. This guarantees the public key’s authenticity and integrity.
Digital Certificate
To generate a digital certificate, the CA combines the digital signature, the public key of the website, and other identifying information. The digital signature of the CA is also included in the certificate.
Issuance and Installation
The website administrator receives the digital certificate from the CA.
The digital certificate is installed on the web server by the website administrator.
Secure Communication
The digital certificate is retrieved from the server by the user’s browser when accessing the website. In order to confirm the legitimacy of the certificate, the browser decrypts the digital signature provided by the CA using its public key, which is stored in the trusted root store of the browser.
Then, the browser and the server establish a secure, encrypted connection (HTTPS) using the website’s public key for encryption and private key for decryption.
These processes ensure the data transferred between the end user and the web server is encrypted and secured and cannot be accessed by third parties.
Now, let’s see how the site verification process works users to share their credit card details on the website.
When a user tries to access a secure website (via HTTPS), the browser establishes a connection with the web server.
In response, the browser receives a digital certificate from the web server.
The digital certificate, which is sent to the browser, includes the server’s public key, the digital signature generated by the Certificate Authority (CA), and other identifying data.
The browser has a list of trusted CAs and their public keys pre-installed.
The digital signature on the server’s certificate is decrypted by the browser using the public key of the CA (found in its trusted store).
The hash of the public key contained in the server’s digital certificate is calculated by the browser. The same hash algorithm (such as SHA-256) that the CA used to create the digital signature is used for this.
If the hashes match, it ensures that the public key in the certificate is authentic and not tampered.
The browser establishes a secure connection after verifying the public key and certificate.
An encrypted communication channel is established through an SSL/TLS handshake between the browser and the server.
After the browser generates a session key, it encrypts it using the public key of the server and sends it to the server.
Using its private key, the server decrypts the session key.
The browse and the server share the session key. Which is used to encrypt and decrypt data sent over the secure connection,
Through this procedure, the user’s browser and the web server ensure a safe connection, and the server is authenticated as the legitimate owner of the public key and certificate.
Finally, the user shares their credit card details to purchase from Amazon securely.
This detailed process happens when a customer wants to purchase an item online from Amazon or any other online purchasing site. I tried to make it simple and give you a better understanding. I hope you gained some idea of how the verification process happens between the user and the server.
