Table of Contents
From wikipedia :
For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.
More “Network & Security” posts
- ssh, the Secure SHell : Practical examples
- ssh, the Secure SHell : Concepts & generalities
- How-to : Get a nfs server working with a firewall
- About Cryptography
1.1 What is a PKI ?
PKI stands for “Pubic Key Infrastructure“, it is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.
1.2 Why do we need a PKI ?
A PKI is required to resolve the “user to Public Key” binding problem.
2) Asymmetric Algorithms reminder
This is a quick reminder about asymmetric keys algorithms, it is important to understand
this in order to understand why and where PKI is required.
Asymmetric algorithms main feature :
- One key is used for encryption AND a different key is used for decryption
– One of those keys can be made public : If we can securely obtain the “public key“, this makes key management a lot simpler when compared to symmetric algorithms.
– The question is : when I receive someone’s public key, how do I really know it belongs to that person or entity ? That is the question to which PKI answers.
3) Digital Certificate
From Wikipedia :
In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information).
- What is a digital certificate ?
A digital certificate is a structured data which binds a user’s identity to a public key, this association is certified by a Certificate Authority (CA).
- What is a CA ?
A CA is the company that issues the certificate.
- What is a self-signed certificate ?
A self-signed certificate is said self-signed because it is issued and validated (signed) by the same company : the CA (logically this should be a root CA, one of the highest rank). In today web browsers many root certificates are included, which makes easier the web browsing, but it may also leads to security issues (you must be trusting you web browser installation source).
Note : This definition is only valid in a PKI context, in a web of trust context there is no root CA or highest ranked CA, there is, actually, no CA at all!
3.2 Contents of a typical digital certificate
X-509 v3 : This is the actual standard describing certificate structure (format). Already extensively used in the internet (e.g on web servers:TLS; web browsers:TLS; email client:S/MIME; IPSec VPN’s:IKE)
From Wikipédia :
- Serial Number : Used to uniquely identify the certificate.
- Subject : The person, or entity identified.
- Signature Algorithm : The algorithm used to create the signature.
- Issuer : The entity that verified the information and issued the certificate.
- Valid-From : The date the certificate is first valid from.
- Valid-To : The expiration date.
- Key-Usage : Purpose of the public key (e.g. encipherment, signature, certificate signing…).
- Public Key : the purpose of SSL when used with HTTP is not just to encrypt the traffic, but also to authenticate who the owner of the website is, and that someone’s been willing to invest time and money into proving the authenticity and ownership of their domain.
- Thumbprint Algorithm : The algorithm used to hash the certificate.
- Thumbprint : The hash itself to ensure that the certificate has not been tampered with.
To be finished (sorry pal !)
- How-to : Install amarokcollectionscanner on a CentOS 6.2 i686 box
- About regular expressions (Basic & Extended)