0

As I understand, the root of SSL security is based on the public key of certificate authority. And I don't know why this key can be faked by a man in the middle:

The man in the middle received this CA public key but then sends me a public key and fake certificate of his own and pretends that it is valid. I use this key to compute the certificate signature to verify it but if this key is fake, how can I know certificate is not from a trusted source?

4

1 回答 1

1

为了让任何 PKI 工作,每一方都应该有一个他们信任的 CA 的公钥列表。这些密钥是从软件供应商安全带外获得的。

从服务器接收的 SSL 证书(包含 SSL 服务器的公钥)由 AC 之一的私钥签名。如果不访问 CA 的私钥之一,就无法伪造有效证书,因此中间人无法发送看起来有效的伪造证书。

为了使用 PKI,我们需要信任两件事:1/我们可以安全地检索 CA 的公钥 2/CA 不会因为签署伪造证书或窃取他们的密钥而搞砸。

于 2013-06-03T10:58:28.247 回答