Mumbai University > EXTC > Sem 7 > Data Compression and Encryptiont

Marks: 5 M

Year: Dec 2013

Certificate Based Authentication:

i. The X.509 (ITU recommendation) is a certificate based authentication. X.509 is an important standard because the certificate structure and authentication protocols defined in X.509 are used in variety of contexts.

ii. Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority.

iii. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates.

iv. X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithm but recommends RSA.

v. The digital signature scheme is assumed to require the use of a hash function. Again, the standard does not dictate a specific hash algorithm.

$$\text{Figure 6.3 Public Certificate Generation}$$

vi. The general format of a certificate includes the following elements:

• Version: Differentiates among successive versions of the certificate format; The default is Version 1. If the Issuer Unique Identity or Subject unique identifier are present, the value must be Version 2. If one or more extensions are present, the version must be Version 3.
• Serial Number: An integer value, unique within the issuing CA (Certification Authority) , that is unambiguously associated with this certificate.
• Signature Algorithm Identifier: The algorithm used to sign the certificate, together with any associated parameters. Because this information is repeated in the signature field at the end of the certificate, this field has little, if any utility.
• Issuer Name: X500 name of the CA that created and signed this certificate.
• Period of Validity: Consists of 2 dates: The first and last on which the certificate is valid.
• Subject Name: The name of the user to whom this certificate refers. That is, this certificate certifies the public key of the subject who holds the corresponding private key.
• Subject’s Public Key Information: The public key of the subject plus an identifier of the algorithm for which this key is to be used, together with any associated parameters.
• Issuer Unique Identifier: An optional bit string used to identify uniquely the issuing CA in the event the X.500 name has been reused for different entities.
• Subject Unique Identifier: An optional bit string field used to identify uniquely the subject in the event the X.500 name has been reused for different entities.
• Extensions: A set of one or more extensions fields. Extensions were added in Version 3 and are discussed later in this section.
• Signature: Covers all of the other fields of the certificate, it contains the hash code of the other fields, encrypted with the CA’s private key. This field includes the Signature Algorithm Identifier.

vii. Obtaining User’s Certificate:

User’s certificates generated by a CA have the following characteristics:

• Any user with access to the public key of the CA can verify the user public key that was certified.
• No party other than the certification authority can modify the certificate without this being detected.

viii. Revocation of Certificates:

From the figure above that each certificate includes a period of validity, much like a credit card. Typically, a new certificate is issued just before the expiration of the old one. In addition, it may be desirable on occasion to revoke a certificate before it expires, for one of the following reasons:

• The user’s private key is assumed to be compromised.
• The user is no longer certified by this CA.
• The CA’s certificate is assumed to be compromised.

ix. Authentication Procedures:

X.509 also includes three alternative authentication procedures that are intended for use across a variety of applications. All these procedures make use of public-key signatures. It is assumed that the two parties know each other’s public key, either by obtaining each other’s certificates from the directory or because the certificate is included in the initial message from each side.

x. One-Way Authentication:

One way authentication involves a single transfer of information from one user (A) to another (B), and establishes the following:

• The identity of A and that the message was generated by A.
• That the message was intended for B.
• The integrity and originality (it has not been sent multiple times) of the message.

xi. Two-Way Authentication:

In addition to the three elements just listed, two-way authentication establishes the following elements:

• The identity of B and that the reply message was generated by B.
• That the message was intended for A.
• The integrity and originality of the reply.