RSA Algorithm, the Keys, and Digital Certificates
Keys are the secrets that allow cryptography to provide confidentiality. Let’s take a closer look at the keys involved with RSA and how they are used.
Who Has Keys and a Digital Certificate?
With RSA digital signatures, with both parties intending on authenticating the other side, each party has a public-private key pair. Going back to the analogy in the previous sections, let’s use two computers named Bob and Lois. They both generated their own public-private key pair, and they both enrolled with a certificate authority (CA). That CA took each of their public keys and their names and IP addresses and created individual digital certificates, and the CA issued these certificates back to Bob and Lois, respectively. The CA also digitally signed each certificate.
How Two Parties Exchange Public Keys
When Bob and Lois want to authenticate each other, they send each other their digital certificates (or least a copy of them). Upon receiving the other party’s digital certificate, they both verify the authenticity of the certificate by checking the signature of a CA that they currently trust. (When you talk about trusting a certificate authority, it really means that you know who the CA is and can verify that certificate authority’s digital signature, by knowing the public key of that CA.)
Now that Bob and Lois both have each other’s public keys, they can authenticate each other. This normally happens inside of a VPN tunnel in both directions (when RSA signatures are used for authentication). For the purpose of clarity, we focus on just one of these parties (for example, the computer Bob) proving its identity to computer Lois.
Creating a Digital Signature
Bob takes some data, generates a hash, and then encrypts the hash with Bob’s private key. (Note that the private key has not been shared with anyone else; not even Bob’s closest friends have it.) This encrypted hash is inserted to the packet and sent to Lois. This en-crypted hash is Bob’s digital signature.
Lois, having received the packet with the digital signature attached, first decodes or decrypts the encrypted hash using Bob’s public key. She sets the decrypted hash to the side for a moment and runs a hash against the same data that Bob did previously. If the hash that Lois generates matches the decrypted hash, which was sent as a digital signature from Bob, she has just authenticated Bob. The reason is because only Bob has the private key used for the creation of his digital signature.
