SSL, TLS and PKI Introduction

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> In the last section,
00:00
we talked about TLS and SSL,
00:00
and if you happen to jump ahead
00:00
>> to this lesson on public key infrastructure
00:00
>> without going through that lesson,
00:00
I'm going to ask you to go back and listen to it
00:00
because these lessons are best understood together.
00:00
In that lesson, we talked about SSL and TLS
00:00
>> and how they use hybrid cartography method
00:00
>> in order to provide encryption services.
00:00
>> I also drew a beautiful picture
00:00
in PowerPoint that you can see here.
00:00
I want to talk about this
00:00
>> a little bit more and take it a step further.
00:00
>> As we said in the last lesson,
00:00
we have a client trying to
00:00
reach Bank of America's web server securely
00:00
>> and the bank provides its public key.
00:00
>> Now if we think about this scenario,
00:00
how can the client be sure that what it is receives
00:00
is indeed the public key for Bank of America?
00:00
Your DNS server would tell you
00:00
>> that you have reached Bank of America's web server.
00:00
>> But what if the DNS server has been compromised
00:00
>> and you are directed to a rogue server
00:00
>> and then you send your sensitive information
00:00
>> to the rogue server
00:00
>> and it's encrypted with the rogue server's public key?
00:00
>> How do you get the guarantee
00:00
>> that you really are talking to Bank of America?
00:00
>> Well, long before Bank of America
00:00
>> ever provided online banking,
00:00
>> a bank representative would have gone
00:00
>> to an organization called a certificate authority.
00:00
>> The bank representative would have provided
00:00
>> lots of information in business licenses
00:00
>> and other documentation to prove
00:00
>> that they truly represent the Bank of America
00:00
>> and the certificate authority
00:00
>> would have given the bank a digital certificate.
00:00
>> That digital certificate
00:00
>> is exactly what it sounds like.
00:00
>> It's an electronic file that's essentially
00:00
containing the Bank of America's public key.
00:00
How would you know that no one
00:00
>> has modified this digital certificate?
00:00
>> Well, their certificate authority hashes the file.
00:00
How do you know that the certificate authority is
00:00
really the one that's issued the digital certificate?
00:00
Well, because the certificate authority encrypts
00:00
>> the hash with the certificate authority's private key.
00:00
>> That way, when the bank's representative
00:00
goes back to the bank,
00:00
he installs that digital certificate onto the server,
00:00
>> and now, when the client connects via HTTPS
00:00
>> and requests a secure connection,
00:00
>> the bank sends its public key
00:00
>> on the digital certificate.
00:00
>> That digital certificate needs to be signed
00:00
>> by someone that the client trusts.
00:00
>> Trust in relationships between certificate authorities
00:00
>> means that their client has the certificate of
00:00
>> that certificate authority
00:00
>> and saw it in the web browser.
00:00
>> It's the certificate authority really
00:00
>> that makes all this work and
00:00
>> the certificate authority is the heart and soul
00:00
>> of a public key infrastructure.
00:00
>> You may have heard of some certificate authorities.
00:00
A well-known one is VeriSign,
00:00
but there are many others.
Up Next