DefinitionX.509 certificate is a digital certificate that uses x.509 public key infrastructure(PKI) standardto verify that a public key belongs to the user, computer or service identity.A public key infrastructure (PKI) is a set of roles, policies and procedures needed to create,manage, distribute, use, store and revoke digital certificates and manage public-key encryption.X.509 is a public key, identity of party which is signed by a certificate authority or self-signed.
Party uses public key for secure communication, and trust CA to adequately verify theidentities of the party to which it issues certificates.CA (Certificate Authority) is a trusted third-party organization or company that issues digitalcertificates that are used to create digital signatures and public-private key pairs.The X.509 Certificate StructureX.509 is a widely followed standard for digital certificates. The Structure X.
509 digitalcertificate is as follows:1. Version Number: It specifies which x.509 version is used in the certificate.
And alsodefines what data should be included in the certificate.2. Serial Number: It defines the unique identity in form of serial numbers to distinguishfrom other certificates.3. Signature Algorithms ID: It impliesthe algorithms used by the issuer.
Generally, a CertificateAuthority(CA) to send the certificate.The names of the specific Public Keyalgorithms that the CA has used tosign the Certificate (Example, RSAwith SHA-1).4. Issuer Name: It indicates the name of the entity issuing the certificate. Generally, aCertificate Authority(CA).
In other words, identifies the CA Server who issued theCertificate.5. Validity period: It indicates start and the end date and time of issuing certificate.6. Subject name: It indicates the name of the identity the certificate is issued to. Example,cn=auser, ou= SP, o=Alphawest.
7. Subject public key information (optional): Information used to identify the owner ofthe certificate.a. Public Key Algorithmb. Subject Public Key8. Issuer unique identifier (optional): It indicates unique id of the issuer.9. Extension (optional): Additional information like Alternate name, CRL DistributionPoint (CDP)10.
Signature: The actual digital signature of the Certificate Authority (CA).The Process of Obtaining a Digital CertificateThe following diagram shows the process of obtaining a Digital Certificate from a CertificateAuthority (CA).1. Generate Key-pair: User-A generates a Public and Private key-pair or is assigned a key-pair by some authority in their organization.2. Request CA certificate: User-A requests the certificate of the CA server.3. CA certificate Issued: The CA responds with its certificate.
This includes its public keyand its Digital Signature signed using its Private Key.4. Gather Information: User-A gathers all information required by the CA Server to obtainits certificate. This information could include User-A email address, fingerprints, etc.
thatthe CA needs to be certain that User-A claims to be who she is.5. Send Certificate Request: User-A sends a certificate request to the CA consisting of herPublic Key and Additional information. The certificate request is signed by CA’s PublicKey.
6. CA verifies User-A: The CA gets the certificate request, verifies User-A’s identity andher Public Key. The Signature of CA verifies the authenticity of the Certificate.7. CA issues the Certificate: The CA issues the certificate to User-A.Importance of X.509 Certificate for Information SecurityKey Distribution is the function that delivers a key to two parties who wish to exchange secureencrypted data.
Some sort of mechanism or protocol is need to provide for the secure distributionof keys. Key distribution often involves the use of master keys, which are infrequently used andare long lasting and session keys which are generated and distributed for temporary use betweentwo parties. Public-key encryption schemes are secure only if the authority of the public key isassured. A public-key certificate scheme provides the necessary security. X.509 defines theformat for the public key certificates.
This format is widely used in a variety of applications.X.509 is an important standard because the certificate structure and authentication protocolsdefined in X.
509 are used in a variety of contexts. For example, the X.509 certificate format isused in S/MIME, IP Security and SSL/TLS.
X.509 is based on the use of public-keycryptography and digital signatures. The standard does not dictate the use of a specific algorithmassumed to require the use of a hash function. Again, the standard does not dictate a specifichash algorithm.
Symmetric Encryption, Asymmetric Encryption and HashingThe strengths of any cryptographic system rests with the key distribution technique, a term thatrefers to the means of delivering a key to two parties who wish to exchange data withoutallowing others to see the key.A fundamental topic of Information Security that often gives people difficulty is understandingthe difference between symmetric, asymmetric and Hashing. While each has specific uses, arobust communication encryption solution will typically implement all three.1. Symmetric Encryption:Symmetric encryption is referred as shared key or shared encryption. In symmetric encryption, asingle key is used both to encrypt and decrypt traffic. Symmetric encryption includes algorithmslike DES, 3DES, AES and RC4.
3DES and AES are commonly used in IPSec and other types ofVPNs. Symmetric encryption algorithms can be extremely fast, and their relatively lowcomplexity allows for easy implementation in hardware. However, they require that all hostsparticipating in the encryption have already been configured with the secret key through someexternal means.2. Asymmetric Encryption:Asymmetric encryption is also known as public-key cryptography.
Asymmetric encryptiondiffers from symmetric encryption primarily in that two keys are used; one for encryption andone for decryption. The most common asymmetric encryption algorithm is RSA.Compared to symmetric encryption, asymmetric encryption imposes a high computationalburden, and tends to be much slower. Thus, it isn’t typically employed to protect payload data.Instead, its major strength is its ability to establish a secure channel over a non-secure medium(For example, The internet).
This is accomplished by the exchange of public keys, which canonly be used to encrypt data. The complementary private key, which is never shared, is used todecrypt.Robust encryption solutions such as IPSec implements the strength of both symmetric andasymmetric encryption. First, two endpoints exchange public keys, which allows for the setup ofslow but secure channel. Then the two hosts decide on and exchange shared symmetricencryption keys to construct much faster symmetric encryption channel for data.3.
HashingFinally Hashing is a form of cryptographic security which differs from encryption. Whereasencryption is two step processes to first encrypt and then decrypt a message, hashing condenses amessage into an irreversible fixed length value, or hash. Two of the most common hashingalgorithms seen in networking are MD5 and SHA-1Hashing is used only to verify the data; the original message cannot be retrieved from a hash.When used to authenticate secure communications, a hash is typically the result of the originalmessage plus a secret key.
Hashing algorithms are also commonly used without a secret keysimply for error checking. You can use the md5sum and sha1sum utilities on a Linux or Unixmachine to experiment with hashing.Another example of MD5 hashing can be seen in IOS’ secret passwords, which implement arandom salt to avoid duplicate hashes should two users by chance select the same password.
