Warm-up questions:X.509
Warm-up questions:What is X.509
[Albert]:
X.509 is an internet security protocolWhat is the content of X.509
[Albert]:
X.509 includes the definitions of X.509 certificate, certificate authority (CA), and CA hierarchy.What is X.509 certificate
[Albert]:
X.509 certificates are very much like driver licenses for the internet. Here is the list of comparisons:The major difference between X.509 certificates and driver licenses is their enforcement. There is no legal binding with X.509, it is enforced by the law of convenience. It is up to each individual to have himself/herself/itself certified when doing business on the internet. If you do not have yourself certified, you may not get what you want or you may not have the business you may otherwise have, but you will not be fined or jailed. Furthermore, faking a driver license is a crime while faking a X.509 certificate is not, for this reason, the X.509 should be made even harder to fake because it has no any recourses if it failed.
Who issues X.509 certificates
[
Albert:] A X.509 certificate is issued by a X.509 CA (Certificate Authority).Who is X.509 CA
[
Albert:] There are two types of X.509 CAs: public CAs and Private CAs.Public CAs are built on public trust. Eventually, people have to put their interest, money, and sometimes lives in these CAs' hands. In this sense, CAs are very much like banks. People put their life-savings into the banks and believe that their money never be abused or stolen. Similarly, people give their trust to the certificates issued by CAs, build their business on top of it, and believe that CAs will never issue bad certificates to ill-minded guys for immoral conducts.
It is not because people like to risk their "lives" in the hands of CAs, it is simply because there are no alternatives. You either do not do internet business, or trust hopelessly what an unidentifiable salesman is saying from somewhere on the net, or you trust a CA. Pick one from these three.
A public CA is the guy who has already got your money and the only way it can get your money again is to make sure you are a happy camper (on the security aspect) when you are doing business on the internet. To make sure CAs does their work in due diligent, people reward them handsomely (maybe not now, but definitely in the future) so that CAs become very rich, and the only thing prevent CAs from being poor again is do not violate the public trust. The exactly same dumb but workable trick, we have used with banks.
An entity which has already had the public trust can become a public CA fairly easily, such as banks, government agencies, big companies, and well-known companies. But it is definitely not for average Joe and Jane.
For big companies or organizations, they may have their own private CAs. The difference between the private CAs and public CAs are that a private CA is not a trusted entity, rather, an entity with mandate given by a superior entity. Private CAs ????
What is the use of a X.509 certificate
[
Albert:] Due to the nature of the internet, the use of X.509 certificates are much crucial than the use of driver licenses (maybe not now, but definitely in the future not that far from now).The main problem with the internet is that anyone or anything can claim to be anyone or anything else (impersonating), after all everything is converted into the same digital form when travelling over the net. The second problem is that on the net, someone can intercept a message from a sender and alter the message then send it to the receiver without both the sender and receiver knowing it (hidden middleman or woman or thing).
X.509 certificates can solve these two problems.
How a X.509 certificate prevent the internet impersonation
[
Albert:] If we are not sure the true identities of a remote party on the internet, we ask that party for its X.509 certificate and make sure the certificate is not expired and not altered.In every non-altered X.509 certificate, we have the identity of the remote party and its public key. To verify the remote party indeed owns the certificate, all we need to do is to encrypt a secrete message using that party's own public key and send the encrypted data to the remote party and challenge that party to decrypt the message. The real party should be able to decrypt the message encrypted by its own public key.
How to know if a X.509 certificate is altered
[
Albert:] Since X.509 certificates are meant to be available on the internet for public to use, they can be copied to any place and altered for deceiving purpose.For instance, when we receive a certificate from a remote party, we encrypt the message with its attached public key and send the encrypted message to that party and find out that party indeed can decrypt the message. At this stage, we still not hundred percent sure that the party is really the owner of the certificate because it is possible that the party in question stole the certificate and simply replaced the original public key with its own public key. In other words, the certificate we relay on may be altered.
The way to make sure a certificate is not altered is to verify its signature.
X.509 digital signature is different from the handwriting signature in the way that handwriting signature tells you the document is a true document but it is not intended for preventing the document alteration. You prevent the unauthorized changes with other means such as hand writing or neatly typing on a clean paper and sign initials on all authorized changes.
On the other hand, X.509 digital signature does both. It shows that the document is the true document as well as that the document is not altered. And second property is important since altering an electronic document is usually undetectable by just looking at the document.
How to sign a X.509 certificate
[
Albert:] On the other hand, X.509 digital signature does both. It shows that the document is the true document as well as that the document is not altered. And second property is important since altering an electronic document is usually undetectable by just looking at the document.Why Public Key Encryption Can be Used for Authentication
[
Albert:] Each public key has a key-mate called private key, the data encrypted with the public key can only be decrypted with its private key-mate.A strange but very important nature of the public key is that it does not have the reconstruction capability, that is, the data encrypted with a public key can not be decrypted with the same public key. So, be comfortable with the idea of encrypting a data using a public key, at meantime, knowing everyone out there knows this public key.
The legitimate certificate owner will have the private key that matches the public key on the certificate. If the remote party can correctly decrypt a message encrypted with the public key, it means that party has the matching private key, it in turn means that party is the owner of the certificate.
Why X.509 Certificates have to be Authenticated
[
Albert:] X.509 certificates (along with the public keys) are on the internet for public use. Different from paper-made driver licenses, these electronic certificates are very easy to duplicate (or stolen). Therefore, certificate alone on the internet is not trustworthy. The only thing we can rely on in the X.509 infrastructure is the decryption capability of the private key. The party who can decrypt the secret message encrypted with the public key is the true owner of the private key, the public key, and the certificate.What is a Public Encryption
[
Albert:] One goal of the encryption is to make a document unreadable or a file unusable so nobody can know your secret, just like shredding a paper document except doing it electronically. However in order to make an encryption useful for internet based business, we also need a reverse process called decryption that can make the document readable again.There are three types of encryption approaches: procedure based, secret key based, and public key based.
The core of the procedure based encryption is two procedures: one for encryption and one for decryption. Any procedure pairs which can make a file unreadable/unusable and then reverse it back can be used for encryption purpose, such procedure pairs include pkzip/pkunzip, Unix tar/tar, and Dos backup/restore, and many more (you can easily write millions of your own procedure pairs). For different encryption tasks, you have to use different procedure pairs (kind of inconvenient).
The core of the secret key based encryption is the secret key (sounds natural). The advantage of the secret key based encryption is that only one encryption procedure pair is needed (so no new invention of the procedure pair, please), for different encryption tasks, you just change the secret keys.
The core of the public key based encryption is (you can guess) the public key. The advantage of the public key based encryption is that only one encryption procedure pair is needed (OK, nothing new) and you can use the same encryption key for all your encryption tasks (this is great!).
However, the most important (arguably) characteristic of the public key encryption is its capability of authentication. The first two encryption approaches can not do authentication over the internet, a major blow comparing with public key encryption.
How to Use Public Key for a day-to-day Encryption Task
[
Albert:] The public key encryption is tedious, but most importantly, it is a two-way encryption but only works in one way. More specifically, as we know that message encrypted by a public key can be decrypted by its private key mate and the message encrypted by a private key can be decrypted by its public key mate. However, since the public key is available to public, the private encryption is really meaningless (can be decrypted by anyone).Therefore, a public key encryption is little bit complicated. Assume that person A want to establish a secured connection with person B, a secured connection means that all messages travelling through this connections are encrypted. The X.509 way of encryption is that person A first gets person B's public key, then encrypts a secret key with person B's public key, and sends the encrypted secret key to person B.
Assume that person B is real and he/she can decrypt the secret key with his/her private key. From then on, person B will talk to person A with the same secret key using secret key encryption (which is two-way and fast).
The reason that public key infrastructure has far fewer keys and much simpler key management headache is that secret keys are all generated on the fly. In this way, we do not needs to punch our head to make a secure and easy to remember secret key, to worry about how to send the secret key to a remote entity safely, and to maintain hundreds of secret keys in a key database so that we can keep track which key is for which person or business. This makes the internet business whole lot more easier.
How a X.509 certificate prevent the internet hidden middleman
[
Albert:] The public key on the X.509 certificate and public key encryption can prevent the internet impersonation,Who can be a certificate authority
[
Albert:] Anyone can be a certificate authority, the question is what is the use of your certificate and who need to use it.
Basic Questions
How
Advanced Questions
How
Philosophical Questions
What is the difference between the internet authentication and day-to-day authentication
[Albert]:
on the internet, X.509 certificates can be used by everyone, such as individuals, companies, government agencies, machines, programs, books, dog pictures, etc. In the eyes of internet, everything is the same and can be certified and verified. On the other hand, in day-to-day life,
Related Page 1 | Related Page 2 | Related Page 3