Why digital certificate? 

You make me laugh. Thank you very much!

totally!

agree

Much appreciated!

I am so happy for you and Security+ is not easy to pass. Congratulations!

Thanks.

Many thanks for your words.

Thank you for your compliments! I appreciate.

Best of luck!Thank you for watching!

Thanks and welcome!

Thanks!

Glad it was helpful!

Wonderful!

Thank you very much!

Good luck!

Thank you for watching!

You are welcome and I am glad it helped.

Thanks. I am glad it is helpful.

My pleasure!

First of all, thanks for your great questions. Encryption can be very complicated. To keep it simple, asymmetric key encryption and symmetric key encryption would work together to make sure authenticity and confidentiality. I have videos about "how SSL works" to demonstrate how they work together. for example, you (your browser) wants to talk to a web server and all conversation should be encrypted (that is why we need https: and padlock). first, your browser wants to verify that the server is the server you wants, and your server will use asymmetric key to send you "digital certificate". Once your browser has verified the server, then it will send its private key (symmetric key encryption) to the server encrypted by the server's public key, and then only the server can decode the browser's private key with its own private key. It might be confusing at this point. Once the server get your browser's private key, then all conversation would be encrypted. I have also one video " Kerberos", which only use symmetric key algorithm. In summary, asymmetric key encryption is normally used to verify each other and exchange the secret key (private key of symmetric key) so that they can encrypt their conversation. I hope my answer would be helpful. Please do not hesitate to ask me any questions.

we use the Public Key to decrypt, that make authentication and non-repudiation

Hi Sunny, please do help us with these questions as we can expect this questions in an interview.

Thanks a lot for your questions and your questions are great.

That is why we need public key infrastructure - PKI, a whole system to create public keys, to store public keys, to create a digital certificate to prove the public key belongs to the real owner, Bob. It is a whole chapter.

In this video, Bob may keep his public key in his server or a public server. Bob might just tell Alice where to get the public key by whatever method. But this can be very risky because a hacker might intercept Bob's information and replace all his messages by the hacker's message, which Alice believe it is from Bob. Alice gets all hacker's information from the very beginning, that is why Alice has not suspected that something is wrong.

That is why we need Public Key Infrastructure: we need a trusted third party to store Bob's public key and when Alice wants to retrieve Bob's public key, she knows where to get it and besides, the trusted party also attaches a digital certificate to prove Bob's public key belongs to Bob.

Thanks a lot for your kind words.

you are welcome!

great question. our browser would check digital certificate if it is valid because our popular browser has pre-loaded with major CA's public keys and also our browsers would actively work behind scene with CA's servers to make sure digital certificates are real and valid.

Hi Miirar, Its a good ques! In a real world scenario, ideally an client(browser) interacts with the server and when the server returns the digital certificate, the browser validates the CN(Common name) of the server to verify its identity, normally the domain name(say google.com) would the Common name(CN), when as mentioned by you, if the hacker intercepts the message and presents a fake digital certificate, the browser identifies that the Common Name is different(say xyz.com) than that of the reqested one(which google.com), browser alerts us by throwing the error message NET::ERR_CERT_COMMON_NAME_INVALID, Additionaly also the pad lock turns to red colour.

Good question .. actually the receiver will send the certificate of insurance to the CA and after CA confirm than it will start further communication

You are welcome! I try my best to save learning time so that everyone is happy :)

i am confused with same question that why would alice pick hacker's public key

@@israilkarud9293 She isn't aware that it has been swapped. Hackers intercept the message when it is being sent. Which means that the public key needed to decrypt the digital signature hasn't reached Alice yet.

no need to choose key as he said. when server will send certificate, there will be key inside it and from there only it will perform further actions. whosoever will send certificate that key will be used. hacket cant send certificate as it would not be signed by trusted CA. if he sends its own then client will not trust it.

You are correct. The word "attach" might be confusing. I mean Public key and digital certificate go together. Digital certificate just verifies the public key belongs to the claimed owner.

Ok, got it. Many thx

Many thanks!!

The hacker intercepts Bob's message via active techniques (mitm attacks) , modifies it and forward the modified message (he change the content i.e the hash) to Alice instead.

Thank you for your appreciation.

you are correct. The message will also be encrypted in real life. Here we just focus on digital signature. Otherwise, it involves too much steps. Text message must be encrypted, and the receiver must de-encrypt the message first, then use the message to test if the digital signature is authentic.

Great to hear!

First of all, many thanks for your questions. Great! For digital signature, it is not "safe" or "secure" because digital signature is only for authentication purpose. The document you digitally signed is not encrypted. The digital signature gives the receiver reason to believe the message was created and sent by the claimed sender and later on the sender cannot deny the fact the document was signed by him/her. However, digital signature needs key exchange, which might be intercepted by man-in-the-middle. In order to make sure the key exchange is safe, we use digital certificate to make sure there is no man-in-the-middle attack. Digital signature plus digital certificate would guarantee the digital signature is authentic and document was not modified. However, the document itself is still in plain text. In these two videos, we haven''t talked about encryption" of the document. Of course, plain text document is not "secure" at all if it is confidential. I hope it helps. Please let me know if you have more questions. Feel free to contact me. I am more happy to make myself clear.

Does this mean that digital signatures are pointless if not accompanied by a digital certificate?

Great questions! Digital signature is not about "safe". It is like our written signatures on a document, its primary and basic function is as a proof of identity. With a signature (digital/paper-based), the signer cannot deny it later on (non-repudiation). Digital signature also makes sure the document is not altered in transit (integrity). But digital signature "authentication" part causing the confusion, I believe. In perfect world, a digital signature would authenticate the signer. For an example, you got a letter from your friend and with his signature, you would normally believe that is your friend. But for some serious contracts, like buying a house involving big money, the signing process is normally witnessed and proved by the thirty party, which means having a document notarized. Digital certificate is involving the third party to make sure the signer is the real one, not anyone else. Please let me know if you have questions. Thanks a lot for watching and asking me questions.

You are right. That is why digital signature always works with digital certificate. I just teach these two parts separately. Otherwise, it is overwhelming long. Thanks a lot for your questions and comments. I really appreciate your thoughts and questions. It means that you really think very deeply into the topic.

One more point, thinking of our real life example, we do not really trust other's signature unless we also have witness or notary public or lawyer's back up when we deal with a big contract (involving big money). It is especially true when we deal with important documents over the Internet since we really do not deal with face to face.

You are welcome! Thank you for your time! Check out my other videos please!

Many thanks.

You are welcome!

You are correct. In general, private key is used for encryption and public key is for decryption. Digital signature uses private and public in a different way. It is a special case for digital signature. Please check out :how ssl certificate works.

I am glad.