RSA signed ECDSA certificate still uses ECDSA for authentication

radiatejava radiatejava at gmail.com
Fri Aug 26 20:28:21 UTC 2022


>> and then the same ECDSA key verified by the CA to sign a hash over the transcript of the handshake itself
Which part of the TLS handshake you are talking about? Are you talking
about the three messages from the client to server messages that are -
ClientKeyExchange, ChangeCipherSpec, ClientFinished? In my
understanding, ClientKeyExchange, ChangeCipherSpec are not encrypted
and the last one ClientFinished is encrypted but using the keys
derived from ECDHE key exchange algorithm. Is that not right?

On Fri, Aug 26, 2022 at 11:02 AM Nicola Tuveri <nic.tuv at gmail.com> wrote:
>
> I'll give it a try.
>
> The Certification Authority (CA) that released the certificate has an RSA key. That was used to generate the signature in the cert, that tells users that the CA verified the Certificate Subject identity and that they hold the secret key associated with the Subject's Public Key.
>
> The Certificate Subject (facebook.com) has an ECDSA key, and proved to the CA that they own the secret key matching the Subject's Public Key indicated in the certificate.
>
> During the TLS handshake, facebook.com uses ECDHE for key exchange, and then the same ECDSA key verified by the CA to sign a hash over the transcript of the handshake itself, this (plus an extra bit of symmetric authentication not directly relevant for this discussion) proves to the client that the server they are talking with holds the ECDSA secret key associated with the Subject's Public Key of the Certificate: if they trust the CA (or the chain of trust up to the CA that signed the Certificate) they transitively know that the server is indeed facebook.com (or someone that gained control of their secret ECDSA key).
>
> Therefore ECDHE provides key exchange and ECDSA authentication for the handshake, while RSA guarantees the authenticity of the Certificate.
>
>
> Best regards,
>
> Nicola Tuveri
>
> On Fri, Aug 26, 2022, 20:49 radiatejava <radiatejava at gmail.com> wrote:
>>
>> I am a bit confused when an RSA signed ECDSA certificate is being used in TLS.
>> For example, if you run the test for facebook.com, you will see that
>> the certificate has ECDSA key but signed with Signature Algorithm:
>> sha256WithRSAEncryption.
>>
>> $ openssl s_client  -connect  www.facebook.com:443
>>
>> The ciphersuite used here is ECDHE-ECDSA-AES128-GCM-SHA256. So it
>> means it used ECDSA key for server authentication.
>>
>> But I do not understand how did it use ECDSA key for authentication as
>> the cert is RSA signed and key exchange is ECDHE, meaning ECDSA key of
>> the certificate is not used for encryption keys. Can someone explain
>> this to me?


More information about the openssl-users mailing list