 Let's have a look at an example, a real example before we look into the details of the format. To use HTTPS, the address starts, the scheme is HTTPS, so if we click on a link, for example with the ICT server, does it use HTTPS when we access Moodle? You log in, you use Moodle all the time, is it secure? When you're doing your quizzes online, can somebody need to intercept and see your answers and change the answers to the quiz? In fact, when you're doing a quiz, it doesn't use HTTPS, it's just HTTPS. It's configured only to use HTTPS when you log in. When you hover over the login link, it may be hard for you to see, but the bottom left corner shows that the URL is HTTPS for the login page. So we log in, and the difference you may notice, we have HTTPS at the top and the padlock up there. And the padlock is an indicator that it's using a secure connection. And if your browser, depending on the browser, you click on that, it says verified by, if I just hover over, verified by Komodo. This is just a summary saying that the certificate from the server, I've just contacted the ICT server, I received the certificate, and the authority that signed that certificate was a company called Komodo. Let's click on it and see some more details. We can get some more information. And it says something that the website identity, the ID, the ID is a domain name. There's nothing about who the owner is, but that's just for information. And verified, this identifies the authority, in this case, a company. The technical details, this HTTPS connection is encrypted using AES, 128-bit key, SHA256 is the hash function, RSA was used for the certificate. And if we go over, we can actually view the certificate. And we see the certificate. Remember, the general concept, the ID of the server, the public key of the server, signed by someone else, signed by an authority. So the terminology used here, we have a certificate issued to the server, issued by the authority. We see that this is issued to, and here's a little bit different in that it's issued not to a single domain name, but any domain name that ends with S-I-T dot T-U-A-C-T-H. It's like a wild card. It covers I-C-T, it covers I-T, registration, W-W-W-S-I-T. The one certificate covers all of S-I-T. So this is the server identifier. It's called the common name. The certificate authority, it was issued by a company called Komodo. And there's the specific entity involved, Komodo RSA, Domain Validation Secure Server CA, Certificate Authority. Different companies may use different names and so on. The timestamp, this certificate begins on the 10th of April, last year. And it finishes in five days time. So this certificate will expire on the 10th of April this year. Meaning the next time, if your browser accesses this website on the 11th of April, maybe you try to log in to do the quiz over Songkran, then your browser will probably present a warning or an error saying, you've connected to a server, the certificate they sent us has expired, unless we update that certificate before that date. So that's the concept of the timestamp. It's only valid for a certain period of time. Let's, we can actually see more details. This is a summary of the certificate. Remember, public key, ID, timestamp, all of it signed. In the details, there's a version of the type of certificate. Certificates have serial numbers to identify them. The algorithm used. Remember, we sign by taking a hash encrypting with a public key cipher. Which hash function? SHA256. Which public key cipher? RSA. Who issued the certificate? That is the name of the authority. The common name is this Komodo certificate authority and some address information. Timestamp, not valid before or after these times. The subject is whose certificate? The server. The server, actually it represents multiple servers, anything that ends with the SIT domain. And of course the public key information. A certificate, the most important thing is the public key. What's a public key look like? When you did one of your homeworks, you generated a public-private key pair and you extracted the public key and it contains a modulus, some in this case 2048-bit number and if I can scroll down, a public value. So you need to understand the concepts of RSA to understand these two values. So this is specific to the RSA algorithm. That is the public key, PUS. Then there's some other information that may be just optional extensions. Some ID and down the bottom. The last thing, the signature. So in fact a certificate is the public key, the identity, the issuer and at the bottom, the signature, the encrypted hash value and that's included. How does my browser verify this certificate? We'll go back to the summary, I'll get there. When my browser receives this certificate, how does it know it's not been modified or it's actually a valid certificate? Look at CS on your slides. How do we verify CS? What do we need? We receive the certificate of the server, we verify with public key of the authority. So we verify using the public key of the authority or in this particular case, the public key of the company that issued the certificate, the authority issues the certificate. We need the public key of Komodo and the public key is saved in another certificate. My browser has the public key or the certificate of Komodo stored in it already. So we're finished by finding that. If we go into my preferences, into the detailed security settings for my browser, advanced, under the advanced tab, there's something called certificates and here we will see the certificates of the authorities. The tab at the top, authorities. When I installed Firefox, the creators of Firefox added all of these trusted certificate authorities and their corresponding public keys into the browser so that I don't need to access them, I automatically trust them. So these are the authorities I trust and if we scroll down, we see we have Komodo is there. Komodo is one company, there are many other companies. Many companies from different countries, DigiCert and also from different governments and trust is a common one, GoDaddy issues certificates, Microsoft and a bunch of others. These are all the authorities that I trust implicitly and they sign or issue certificates from to other servers, StarCom, SwissCom, Thought and one of the common ones, Verisign or Symantec down the bottom. The format we'll look at is X509. What we'll look at to finish this topic is some of the issues that arise here. How did I get these certificates? How does a server get a certificate? Some practical details and what happens when you try to visit a website when you don't trust the signer of a certificate? So we'll see them and discuss them in the next lecture.