Flux rss

Certificates

They need your help

Introduction to the concept of certificates

Asymmetric encryption algorithms are based on the sharing of a public key among various users. In general, this key is shared via an electronic directory (usually in LDAP format) or a website.

However, this mode of sharing has a major shortcoming: nothing guarantees the key belongs to the user it is associated with. A hacker can corrupt the public key appearing in the directory by replacing it with his public key. As a result, the hacker will be able to decrypt all messages that have been encrypted with the key appearing in the directory.

A certificate makes it possible to associate a public key with an entity (a person, machine, etc.) to guarantee its validity. The certificate can be seen as the public key's ID card, issued by a body called a Certification Authority (often abbreviated CA).

The certification authority is responsible for issuing certificates, assigning them a validity date (similar to the expiration date on food products), and revoking certificates before this date in the event that the key (or its owner) is compromised.

Structure of certificates

Certificates are small files that are divided into two parts:

  • The part containing information
  • The part containing the certification authority's signature

The structure of certificates is standardized by the ITU's X.509 standard (more precisely X.509v3), which defines the information contained in the certificate:

  • The version of X.509 the certificate corresponds to;
  • The certificate's serial number;
  • The encryption algorithm used to sign the certificate;
  • The name (DN, for Distinguished Name) of the issuing certification authority;
  • The certificate's starting validity date;
  • The certificate's ending validity date;
  • The public key's subject;
  • The public key of the certificate's owner;
  • The certificate issuer's signature (thumbprint).

All of this information (information + requesting party's public key) is signed by the certification authority, meaning that a hash function creates a fingerprint of this information, and then this hash is encrypted with the certification authority's private key; the public key having been widely distributed ahead of time to make it possible for users to verify certification authority's signature with its public key.

Creating certificates

When a user wants to communicate with another person, he simply needs to obtain the recipient's certificate. This certificate contains the recipient's name and public key and is signed by the certification authority. It is therefore possible to verify the message's validity by applying, firstly, the hash function to the information contained in the certificate, and by decrypting, secondly, the certification authority's signature with its public key and comparing the two results.

Verifying the validity of certificates

Certificate signatures

There are various types of certificates depending on their signature level:

  • Self-signed certificates are certificates for internal use. Signed by a local server, this type of certificate makes it possible to guarantee confidential exchanges within an organization, for the purposes of an intranet, for example. Self-signed certificates can be used to authenticate users.
  • Certificates signed by a certification body are necessary when secure exchanges need to be ensured with anonymous users, for example in the case of a secure website that can be accessed by the general public. The third-party certifier guarantees the user that the certificate does indeed belong to the organization it is said to belong to.

Types of use

Certificates are mainly used in three types of contexts:

  • Client certificates, stored on the user's workstation or embedded in a container such as a chip card, make it possible to identify a user and associate him with rights. In most cases, they are transmitted to the server when a connection is made, and the server assigns rights in function of the user's accreditation. They are real digital ID cards that use an asymmetric key pair ranging from 512 to 1024 bits long.
  • Server certificates, installed on a web server, make it possible to connect a service with the service's owner. In the case of a website, they make it possible to guarantee that the web page's URL and particularly its domain really belong to such or such a company. They also make it possible to protect transactions with users thanks to the SSL protocol.
  • VPN certificates are a type of certificate installed in network equipment that make it possible to encrypt communication flows from start to finish between two points (for example, two company sites). In this type of scenario, the users have a client certificate, the servers apply a server certificate and the communication equipment uses a special certificate (generally an IPSec certificate.


Last update on Thursday October 16, 2008 02:43:17 PM.
This document entitled « Certificates » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Results for

Quality - ISO 9000, ISO 9001 and ISO 9004 Certification is a way to attest, by the intermediary of a third-party certifier, to a company's ability to provide a service, product or system in accordance with client requirements and regulation requirements. ISO and IEC give the following... en.kioskea.net/qualite/iso-9001.php3
Audio - THX THX is not an encoding standard like Dolby Digital or DTS. It is a seal of approval which represents certification by the company LucasFilm LTD, both for theaters and for equipment. The term THX means "Tomlinson Holman's eXperiment", Tomlinson Holman... en.kioskea.net/audio/thx-select-thx-ultra.php3
WinXP Home Install CD Hello, I have a computer that came installed with WinXP Home. I want to fomrat the HD and reinstall WinXPHome. I have a Microsoft Certificate of Authenticity and Product Key but no CD. How do I get an install CD or an install file to reinstall WinXP... en.kioskea.net/forum/affich-11920-winxp-home-install-cd

Results for

Windows Error Codes and How to Fix themWindows Error Codes and How to Fix them Below is a list of the most common error codes that you an face while using Windows and its basic components. Some solutions have been provided for you to try to solve them. You should also note that... en.kioskea.net/faq/sujet-113-windows-error-codes-and-how-to-fix-them
Voir les réponses

Results for

Yahoomail and messenger not openHello,I can't open my yahoomail and messenger on yahoo internet explorer.Everytime i try to open it,it says that the website cant open the page.Before ths happened,i tried to open my ahoomail and it says that the security certificate authority... en.kioskea.net/forum/affich-31115-yahoomail-and-messenger-not-open
Https is switching to httpHello, I have a Windows 2003 server running IIS 6. I have a web site configured and set up for SSl ( a verisign certificate has been imported). When we try to access the site using https it automatically switches it to http and displays an error... en.kioskea.net/forum/affich-3886-https-is-switching-to-http
CRLHello, What is the Certificate Revocation List ? en.kioskea.net/forum/affich-3528-crl
Voir les réponses

Results for

Download ScribusScribus is an open-source program that brings award-winning professional page layout to Linux/Unix, MacOS X, OS/2 and Windows desktops with a combination of "press-ready" output and new approaches to page layout. Underneath the modern and user... en.kioskea.net/telecharger/telecharger-106-scribus
Voir les réponses

Results for

Internet - HTTP Since 1990 HTTP protocol (HyperText Transfer Protocol) has been the most widely used protocol on the Internet. Version 0.9 was only intended to transfer data over the Internet (in particular Web pages written in HTML. Version 1.0 of the protocol... en.kioskea.net/internet/http.php3
Cryptography - Secure Sockets Layers (SSL) SSL (Secure Sockets Layers) is a process that manages the security of transactions made on the Internet. The SSL standard was developed by Netscape, together with Mastercard, Bank of America, MCI and Silicon Graphics. It is based on a public-key... en.kioskea.net/crypto/ssl.php3
Cryptography - PGP (Pretty Good Privacy) PGP (Pretty Good Privacy) is a cryptosystem (encryption system) that was invented by Philip Zimmermann, a computer analyst. From 1984 to 1991, Philip Zimmermann worked on a program that made it possible to run RSA on personal computers (PGP).... en.kioskea.net/crypto/pgp.php3
Voir les réponses