Certificates

Certificates

Symmetric encryption (also known as private key encryption or conventional encryption) is based on a secret key that is shared by both communicating parties. The sending party uses the secret key as part of the mathematical operation to encrypt plaintext to ciphertext. The receiving party uses the same secret key to decrypt the ciphertext to plaintext. An example of a symmetric encryption algorithm is Data Encryption Standard (DES), which is used for Internet Protocol security (IPSec) encryption.

Asymmetric encryption, or public key encryption, uses two different keys for each communicating party: One is a private key known only to each individual communicating party; the other is a corresponding public key, which is accessible to anyone. The private and public keys are mathematically related by the encryption algorithm. One key is used for encryption, and the other key is used for decryption. When sending an encrypted message, the sender uses the recipient s public key to encrypt the message, and the receiver uses the corresponding private key to decrypt the message.

Public key encryption technologies also allow digital signatures to be placed on messages. To create a digital signature, the sender first calculates a hash of the message. A hash is a number that represents a mathematical summary of the message. The sender then encrypts the hash using the private key. The encrypted hash is the digital signature that is sent along with the message. When the message and its digital signature are received, the receiver calculates their own value of the hash for the message. The receiver then uses the sender s corresponding public key to decrypt the hash in the digital signature and verify that the calculated hash equals the decrypted hash. If they are the same, the message was not modified in transit and must have been sent by the sender.

With symmetric encryption, both sender and receiver have a shared secret key. The distribution of the secret key must occur (with adequate protection) prior to any encrypted communication. However, with asymmetric encryption, the sender uses one key to encrypt or digitally sign messages, whereas the receiver uses the other corresponding key for decryption of the message or digital signature verification. The public key can be freely distributed to anyone who needs to encrypt messages or verify the digital signature of messages. The sender needs to carefully protect the private key only.

To secure the integrity of the public key, the public key is published as part of a certificate. A certificate, also known as a digital certificate or public key certificate, is a data structure that contains a digital signature of a certification authority (CA) an entity that users of the certificate can trust. A certificate is a digitally signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key.

Certificate Fields

A certificate is composed of a series of fields that contain the information needed to identify the subject of the certificate and the corresponding public key, to identify the issuer of the certificate, and to verify that the certificate is sound.

The certificates used by Windows components are compliant with the X.509 certificate standard, which defines the following fields for certificates (among others):

  • Subject

    The identification of the entity being issued the certificate. In Windows, the entity is a user, a computer, or a service.

  • Subject Public Key

    The subject s public key.

  • Subject Identifier Information

    Additional information about the subject, such as a directory name or an e-mail address.

  • Validity Period

    A certificate is valid for only a specified period of time. Every certificate contains Valid From and Valid To dates, which are the boundaries of the validity period. When a certificate s validity period has passed, the subject must request a new certificate.

  • Issuer Identifier Information

    The identification of the issuer and signer of the certificate (the issuing CA).

  • Certificate Signature

    Contains the digital signature of the certificate as computed by the issuing CA. The certificate signature provides proof of the validity of the binding between the subject public key and the subject identifier information.

A subject s certificate is either published or sent during a negotiation for secure communications. Upon retrieval or receipt of an X.509 certificate, the receiver has the public key of the sender and a means to verify that it belongs to them. To verify the certificate s signature, the receiver does the following:

  1. Calculates its own hash of the certificate (using the same hash algorithm of the sender).

  2. Obtains the issuing CA s X.509 certificate.

  3. Uses the public key contained within the issuing CA s X.509 certificate to decrypt the certificate s signature.

  4. Compares the decrypted hash value with the calculated value. If they are the same, the issuing CA issued the sender s certificate. If they are not, the sender s certificate is considered invalid.

For Windows, the fields of a certificate are visible from the Details tab when viewing the properties of a certificate. One way to view the properties of a certificate is through the Certificates snap-in. Figure 6-1 shows an example.

figure 6-1 the details tab when viewing the properties of a certificate.

Figure 6-1. The Details tab when viewing the properties of a certificate.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net