0

I was reading this topic which talks about the handshake process and key exchange https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm

The article says that the client and the server agrees on the cipher suite algorithm (which is asymmetric) that they are going to use for key exchange and then they will use the generated private key to exchange the data securely. Based on my understanding to the article, the cipher suite algorithm will generate its public and private keys like in the below example to exchange the symmetric private key for data exchange. if my understanding is correct then then what is the benefit of having a certificate public and private keys if those keys will not be used for data exchange?

enter image description here

Mohamad Haidar
  • 379
  • 1
  • 6
  • 13
  • 1
    Basically you are asking what the certificate is for in TLS. In short: authentication so that the key exchange is not done with some man in the middle. Apart from that: *"they will use the generated private key to exchange the data securely"* - please don't call the "shared secret" resulting from the key exchange a "private key". The phrase "private key" has a specific meaning in public key cryptography and it is very confusing if you use it for symmetric cryptography too. – Steffen Ullrich Feb 02 '20 at 18:29
  • Thanks for the answer, if the certificate private key is used for data exchange then what is the benefit of the shared key?. – Mohamad Haidar Feb 02 '20 at 18:42
  • 1
    *"if the certificate private key is used for data exchange"* - it is not. I was citing your wrong use of the phrase "private key" (instead of "shared secret") and it looks like you were confused by your own words. – Steffen Ullrich Feb 02 '20 at 18:47
  • Oh, my bad I misuderstood your first answer. – Mohamad Haidar Feb 02 '20 at 18:51
  • Thanks a lot, so for now I understand the benefit of the public key certificate and that it is used for the authentication mainly. Do you recommend an article to read more about those certificate public and private keys to get a better understanding for them. – Mohamad Haidar Feb 02 '20 at 18:54
  • 1
    There are two major questions about TLS on this site which I recommend: [How does SSL/TLS work?](https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) and [SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?](https://security.stackexchange.com/questions/56389/ssl-certificate-framework-101-how-does-the-browser-actually-verify-the-validity). – Steffen Ullrich Feb 02 '20 at 19:02

0 Answers0