Q14 Certificate-Based Authentication

Question 1

Suppose Bob has a certificate Cbob from a Certificate Authority (CA).
When Alice is trying to authenticate Bob, Bob presents Cbob to Alice.
Describe the rest of the procedure of how Alice authenticates Bob.
Hint: Alice would need the public key of the CA and the public key of Bob.

Answer 1

Alice Authenticating Bob Using a Digital Certificate (Cbob):
* Context: Digital certificates, issued by a trusted Certificate Authority (CA), are used to verify the identity of a party (in this case, Bob). Bob’s certificate Cbob contains information about Bob (e.g., his name, organization) and his public key, all signed by the CA’s private key. Alice needs to trust the CA.

Authentication Procedure:
1. Bob Presents Certificate: Bob sends his certificate Cbob to Alice.
2. Alice Verifies CA Signature: Alice needs the public key of the Certificate Authority (CA) that issued and signed Bob’s certificate. Trusted CA public keys are typically pre-installed and managed by software (like web browsers or operating systems) in a trust store. Alice uses the CA’s public key to verify the digital signature on Bob’s certificate (Cbob). This step confirms that the certificate was legitimately issued by the trusted CA and that its contents (including Bob’s public key) have not been altered since it was signed.
3. Alice Extracts Bob’s Public Key: If the CA’s signature on the certificate is successfully verified, Alice extracts Bob’s public key from the certificate. Alice now has a high degree of confidence that this public key truly belongs to Bob, as asserted by the trusted CA.
4. Alice Checks Certificate Validity: Alice also inspects the certificate itself to ensure it is currently valid. This includes checking:
▪ The certificate’s validity dates (start and end dates).
▪ That the identity information in the certificate matches the Bob she expects to be communicating with.
▪ (Not explicitly mentioned as part of the procedure in the source, but standard practice) Check if the certificate has been revoked (e.g., using a Certificate Revocation List or OCSP).

5. Alice Authenticates Bob (Challenge-Response): Alice uses the extracted, verified Bob’s public key to authenticate that Bob is indeed the party possessing the corresponding private key. A common method involves a challenge: Alice generates a random value (a nonce) and sends it to Bob. Bob then proves he has the private key, typically by signing this nonce with his private key (the one corresponding to the public key in the certificate) and sending the signed nonce back to Alice. Alice uses Bob’s public key (extracted from the certificate) to verify the signature on the nonce. If the signature is valid, it confirms that only the legitimate owner of the private key (i.e., Bob) could have signed the nonce.
6. Authentication Successful: If all verification steps pass (CA signature, certificate validity, and proof of private key possession), Alice successfully authenticates Bob’s identity.