1
00:00:00,340 --> 00:00:03,320
So back to Ballman file that we're trying to get to him.

2
00:00:03,360 --> 00:00:11,490
So as I said to exchange I agree with Bob in a secure manner we need to authenticate that Bob is the

3
00:00:11,490 --> 00:00:17,970
real Bob in order to exchange those keys because if a man is sat in the middle he could send a fake

4
00:00:18,000 --> 00:00:24,600
public key pretending to be ball which is why we talked about hashes and digital signatures because

5
00:00:24,600 --> 00:00:30,360
they are used within digital certificates as a method of authentication and this is the same when you

6
00:00:30,360 --> 00:00:33,210
go to a hate's CPS Web site.

7
00:00:33,330 --> 00:00:39,750
They have a public key which you're using to exchange session keys you know to start your encryption

8
00:00:40,020 --> 00:00:44,610
you need to authenticate to make sure that that public key is legitimate.

9
00:00:44,610 --> 00:00:50,520
Now one solution and the solution that is used on the Internet is to use digital certificates that are

10
00:00:50,520 --> 00:00:53,600
digitally signed and a chain of trust.

11
00:00:53,640 --> 00:01:03,660
So X dot 5 0 9 is the standard most used for the security digital certificates and they are simply a

12
00:01:03,960 --> 00:01:11,870
digital document containing information about the owner of the certificate or for example the Web site

13
00:01:11,970 --> 00:01:13,890
the business that owns the Web site.

14
00:01:13,890 --> 00:01:22,230
In this case we've got more Mozilla the public key and a digital signature that proves the public key

15
00:01:22,550 --> 00:01:28,360
and certificate of validated by an authorized typical authority.

16
00:01:28,380 --> 00:01:36,210
Now that all may sound a little bit complex so let's run through this so maybe you've clicked on the

17
00:01:36,300 --> 00:01:38,010
lock before the last.

18
00:01:38,220 --> 00:01:41,440
Let's click on this and click on more info.

19
00:01:41,490 --> 00:01:46,220
Sheilas click here first and you can see that it's verified by.

20
00:01:46,230 --> 00:01:47,290
Did you sir.

21
00:01:47,520 --> 00:01:48,000
So did you.

22
00:01:48,020 --> 00:01:55,290
That is the certificate or 30 day of the person that is saying that Mozilla is who they claim to be

23
00:01:55,410 --> 00:02:00,620
and that the public key on this certificate is genuine and has not been altered.

24
00:02:03,020 --> 00:02:08,680
So let's actually look at the certificate itself down the bottom here we can see the negotiated algorithms

25
00:02:09,290 --> 00:02:10,920
his view the certificate.

26
00:02:11,380 --> 00:02:19,490
So this typically is valid for this domain only is validating this organization and it has been issued

27
00:02:20,030 --> 00:02:21,370
by DGCA.

28
00:02:21,380 --> 00:02:28,350
These are fingerprints they don't need to concern too much about these you can think of those is really

29
00:02:28,950 --> 00:02:30,280
a unique number.

30
00:02:30,390 --> 00:02:32,840
Are a hash against a certificate.

31
00:02:32,970 --> 00:02:36,570
So it's really just a unique number for this particular certificate.

32
00:02:36,630 --> 00:02:38,130
If you dig into the details

33
00:02:40,950 --> 00:02:43,890
quick here if we go down

34
00:02:47,280 --> 00:02:50,240
click here that is the public key

35
00:02:53,630 --> 00:02:57,780
and we can see this is an RSA public key.

36
00:02:57,840 --> 00:03:06,420
So if we encrypt something with that public key using the RSA algorithm only Mozilla's private key can

37
00:03:06,420 --> 00:03:07,310
decrypt it.

38
00:03:07,320 --> 00:03:15,090
Now if we go bit further down we'll see the digital signature algorithm.

39
00:03:15,120 --> 00:03:19,380
So this is shot to five six with our saying correction.

40
00:03:19,430 --> 00:03:24,030
So remember a digital signature is a hash value that is being encrypted.

41
00:03:24,030 --> 00:03:26,130
The issue is private key.

42
00:03:26,430 --> 00:03:30,690
So this is a big it has been signed by DGCA.

43
00:03:30,750 --> 00:03:38,530
And if I click here their certificate is here and this is what brings us to our chain of trust because

44
00:03:38,590 --> 00:03:47,890
the RSA public key that this certificate must be used to decode the signature on this first certificate

45
00:03:48,280 --> 00:03:58,240
to obtain the Shaw 2 5 6 hash which must match an actual shot to 5:6 hash computed over the rest of

46
00:03:58,240 --> 00:04:03,090
the certificate so that you know that it is genuinely from did you sir.

47
00:04:03,780 --> 00:04:08,560
And the same process happens to validate that this certificate is valid.

48
00:04:08,620 --> 00:04:15,550
Going back to this one up the chain of Trost which is the root certificate how do we know that this

49
00:04:15,550 --> 00:04:18,030
form is valid and that we can trust this one.

50
00:04:18,220 --> 00:04:25,660
Well that's because you're operating system and your browser contains a whole list of root certificates

51
00:04:25,660 --> 00:04:28,480
that have been issued by certificate authorities.

52
00:04:28,510 --> 00:04:36,310
So it's not that you necessarily trust them it's that Microsoft or whomever supplied your certificates.

53
00:04:36,360 --> 00:04:38,530
It's those people that trust them.

54
00:04:38,530 --> 00:04:51,570
Now if you going to view certificates in Firefox go here options advanced certificates view certificates

55
00:04:54,640 --> 00:05:03,010
and if you click on authorities you can see the certificate authorities and these all the route CA's

56
00:05:04,090 --> 00:05:14,880
that you're using to trust and they're all hundreds of them could come.

57
00:05:14,900 --> 00:05:18,720
There we go see a komodo digital certificate.

58
00:05:18,830 --> 00:05:22,020
Looks much the same as the mozilla one.

59
00:05:22,040 --> 00:05:25,120
The difference is that this is a self-signed certificate.

60
00:05:25,180 --> 00:05:28,350
What gives them the authority to be a certificate authority.

61
00:05:28,520 --> 00:05:34,640
Well there is various organizations that enable this and allow this to happen and they have to conform

62
00:05:34,640 --> 00:05:36,790
to various security requirements.

63
00:05:36,800 --> 00:05:37,730
That's Close's

64
00:05:40,620 --> 00:05:41,590
down the list.

65
00:05:43,550 --> 00:05:44,570
And what was the

66
00:05:48,150 --> 00:05:52,070
this was did you sir you can see here.

67
00:05:52,070 --> 00:05:52,700
Did you see

68
00:05:59,020 --> 00:06:05,440
and because we have this you know certificate store we trust the Mozilla Web site because of the chain

69
00:06:05,440 --> 00:06:11,570
of trust the digital signatures we can see the chain of trust here.

70
00:06:11,580 --> 00:06:18,830
Bank of America's certificate of trust comes down here and then we have the root certificate here.