Digital Certificates in Asymmetrical Cryptography: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 21: Line 21:


Besides standard e-email transactions, Digital Certificates can be used to encrypt HTTPS communications on the internet. A web browser can obtain a certificate from a website using SSL to determine the security of a web server and whether the server has been compromised. The browser requests a certificate using a certificate signing request that has the web site name, contact email address, and company information while the site asks for information to compare it to. The owner then signs it, making the certificate a public certificate.  
Besides standard e-email transactions, Digital Certificates can be used to encrypt HTTPS communications on the internet. A web browser can obtain a certificate from a website using SSL to determine the security of a web server and whether the server has been compromised. The browser requests a certificate using a certificate signing request that has the web site name, contact email address, and company information while the site asks for information to compare it to. The owner then signs it, making the certificate a public certificate.  
==Certificate Life Cycle==
At the Revocation stage of a certificate's life cycle, it is no longer valid, and at the Expiration stage it can no longer be used.


==Wildcard Certificates==
==Wildcard Certificates==
 
Wildcard certificates are a sub-type of digital certificates that encompass an entire domain of website addresses.


===Digital Signatures===
===Digital Signatures===
Asymmetric cryptography cannot naturally provide authentication: as although a message that is sent with an asymmetric protocol can ensure the message has not been tampered with, it cannot verify whether the sender is who they say they are due to a public key's nature. To provide proof, a digital signature must be created (not to be confused with a digital certificate), which acts as a handwritten signature verifying the sender. It can also confirm that the message had not been altered since it was signed, or prevent the sender from disputing the origin of the message. Hashing, in its simplist form is an algorithm that you can run a piece of data through and get out a number that represents the original.
Asymmetric cryptography cannot naturally provide authentication: as although a message that is sent with an asymmetric protocol can ensure the message has not been tampered with, it cannot verify whether the sender is who they say they are due to a public key's nature. To provide proof, a digital signature must be created (not to be confused with a digital certificate), which acts as a handwritten signature verifying the sender. It can also confirm that the message had not been altered since it was signed, or prevent the sender from disputing the origin of the message. The purpose of a digital signature is to only show the that the public key labeled as belonging to a person was used to encrypt the message, nothing more. Hashing, in its simplest form is an algorithm that you can run a piece of data through and get out a number that represents the original.


A digital signature consists of three algorithms: A key generation algorithm that selects a private key at random from a set of possible private keys, then uses it to create the private key and public key that corresponds to it; a signing algorithm that produces the signature when given a message and a private key, and a signature verifying algorithm that takes the message, public key and signature either accepts or rejects the message's claim of authenticity.
A digital signature consists of three algorithms: A key generation algorithm that selects a private key at random from a set of possible private keys, then uses it to create the private key and public key that corresponds to it; a signing algorithm that produces the signature when given a message and a private key, and a signature verifying algorithm that takes the message, public key and signature either accepts or rejects the message's claim of authenticity.


===Hashing===
===Hashing===
Hashing is a form of cryptographic security which differences from encryption. Where as encryption has a two step rpoces used to first encrypt and then decrypt a message, hashing condenses a message into a irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1; however, they are both found to have vulnerabilities and should be discouraged.
Hashing is a form of cryptographic security which can be used to ensure the integrity of a file by guaranteeing no one has tampered with it. Where as encryption has a two step process used to first encrypt and then decrypt a message, hashing condenses a message into a irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1; however, they are both found to have vulnerabilities and should be discouraged.

Revision as of 19:45, 8 December 2011

As part of protection and encryption of ever increasing network vulnerabilities and security needs, traditional symmetrical algorithms that encrypt information using private keys are not always sufficient. Asymmetric Cryptography, also known as Public Key Cryptography uses two keys instead of one, and contains many more permutations and defenses than an ordinary symmetrical algorithm. The use of these algorithms also allows checks of authenticity with digital signatures.

Asymmetrical cryptography fundamentals

The primary feature of public-key cryptography is that it removes the need to use the same key for encryption and decryption. Whereas traditional cryptography uses one key to decode and encrypt messages, asymmetric encryption utilizes two mathematically linked key pairs; a public key and a private key which must be used together to create a connection. The public key is known to everyone and can be freely

Wswpf 33.jpg

distributed, while the private key is only known the the user who is sending the message. When someone wishes to send a message using any asymmetrical encryption standard, he must use the receiver's public key to send it, then the receiver uses his own private key to decrypt it. Additionally, the connection works both ways; as a message encrypted by a person's private key can be unencrypted by the corresponding public key.

A disadvantage of public-key crypography is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the contents of a message. Symmetrical algorithms are very easy to use and have the advantage of not consuming too much computing power, however there are dangers of the single secret key falling into wrong hands. Therefore, many computer companies use them in tandem.


Digital certificates

A Digital Certificate (also known as a public-key certificate)is a form of electronic credentials that associates a public key with an identity by a trusted third party. The third party verifies the owner and that the public key belongs to an owner. A digital Certificate is a pair of files on your computer. Parts of a digital certificate include:

CertificateError2.png
  • The person's name
  • An e-mail address
  • A serial number
  • A public key
  • The hash used to encrypt the digital certificate
  • An expiration date (certificates are valid for five years)
  • The signature and has algorithms
  • A digital signature

Besides standard e-email transactions, Digital Certificates can be used to encrypt HTTPS communications on the internet. A web browser can obtain a certificate from a website using SSL to determine the security of a web server and whether the server has been compromised. The browser requests a certificate using a certificate signing request that has the web site name, contact email address, and company information while the site asks for information to compare it to. The owner then signs it, making the certificate a public certificate.

Certificate Life Cycle

At the Revocation stage of a certificate's life cycle, it is no longer valid, and at the Expiration stage it can no longer be used.

Wildcard Certificates

Wildcard certificates are a sub-type of digital certificates that encompass an entire domain of website addresses.

Digital Signatures

Asymmetric cryptography cannot naturally provide authentication: as although a message that is sent with an asymmetric protocol can ensure the message has not been tampered with, it cannot verify whether the sender is who they say they are due to a public key's nature. To provide proof, a digital signature must be created (not to be confused with a digital certificate), which acts as a handwritten signature verifying the sender. It can also confirm that the message had not been altered since it was signed, or prevent the sender from disputing the origin of the message. The purpose of a digital signature is to only show the that the public key labeled as belonging to a person was used to encrypt the message, nothing more. Hashing, in its simplest form is an algorithm that you can run a piece of data through and get out a number that represents the original.

A digital signature consists of three algorithms: A key generation algorithm that selects a private key at random from a set of possible private keys, then uses it to create the private key and public key that corresponds to it; a signing algorithm that produces the signature when given a message and a private key, and a signature verifying algorithm that takes the message, public key and signature either accepts or rejects the message's claim of authenticity.

Hashing

Hashing is a form of cryptographic security which can be used to ensure the integrity of a file by guaranteeing no one has tampered with it. Where as encryption has a two step process used to first encrypt and then decrypt a message, hashing condenses a message into a irreversible fixed-length value, or hash. Two of the most common hashing algorithms seen in networking are MD5 and SHA-1; however, they are both found to have vulnerabilities and should be discouraged.