 |
|
|
Cellular Networking Perspectives is proud to be able to link you to the anonymous Crypto Answer Man. He will attempt to answer questions of general interest related to wireless security. Due to personal security requirements (and a few unpaid bills) he cannot reveal his identity. Questions that are accepted by our man, will be posted here, along with the answers. Particularly interesting questions and answers will be published in Wireless Security Perspectives.
Question Number 3 comes from: Ben Levitan at levitan@aol.com
This area of cryptography is non-trivial and rather difficult to explain to those readers who are new to the topic. A significant amount of literature exists on the subject though and one can learn it with adequate time and diligence. Nevertheless, the Crypto-Answer-Man will attempt, to briefly and concisely answer the questions posed without providing an abstruse discourse on the subject.
First, typically in public-key cryptography (PKC), the public-key is required for the following security services: 1) validation of digital signatures and for 2) encryption of session encryption (conventional) keys.
For example, if Alice wants to verify the digital signature of Bob, she needs his public key. Also, Alice must provide her public key to Bob so he can encrypt a message to her. This generates a fundamental question, 'what happens if Alice's public key is replaced by another persons?' This presents a significant problem - in fact, a major vulnerability with non-certificate-based PKC.
However, in certificate-based PKC, the public key certificate is essentially the public key of someone that is digitally signed by a trustworthy person. In this way, the certificate provides a means to prevent an adversary from substituting one public key for another.
A certificate contains a public key that is securely associated with an entity (e.g., person, device, etc.). The certificate, by means of a digital signature of a trusted entity (called a certification authority or CA), binds the entity to the key.
|
|
Using certificate-based PKC, an adversary cannot substitute another public key and thereby circumvent the cryptographic security. That is, the adversary cannot a) disclose an encrypted message to unauthorized parties and cannot b) forge signatures.
The ITU (International Telecommunication Union) and ISO (International Organization for Standardization) developed a comprehensive directory service technology in the mid-1980's. These directory standards, known as X.500, provide the basis for constructing a multi-purpose directory service for organizations world-wide. The security standards within the ISO framework, known as the X.509 standards, include specifications for public-key certificates. The structure of an X.509 certificate is shown in our news-letter (please refer to issue # ?)
Whew! · Heavy! Now, onto Ben's second question. Well, the CA-user dialogue must occur through traditional out-of-band channels. For instance, Alice (the entity) visits a notary public and presents a birth certificate or other identifying information in person. The notary provides Alice a secret passphrase that may later be used for an online communication with the CA to request the certificate.
Crypto-Answer-Man Notable Note 3: Not only is certificate-based PKC rather complex from a business, technical, social and legal standpoint, it is also very hot! Although only one small component, it provides the critical foundation for electronic commerce, e-business and PKI (public-key infrastructure) today and in the future.
© – Copyright