What actually X.
509 Certificate is?It is a “Digital Certificate” that uses the widely acceptedinternational X.509 Public key infrastructure (PKI) standard toverify that public key belongs to the user computer or serviceidentity contained within the certificate.X.509 certificate contains information about the identity towhich a certificate is issued and the identity that issued it.The first X.
509 certificates were issued in 1988 as part of theInternational Telecommunication Union’sTelecommunication Standardization Sector (ITU-T).Structure of X.509 Certificates:Serial Number:Used to uniquely identify the certificate.Subject:Provides the name of the computer, user, NetworkDevice, or service that the CA issues the certificate to.Serial Number:Provides a unique identifier for each certificate that CAissues.Issuer:Provides a distinguished name for the CA that issued thecertificate.
The issuer name is commonly represented byusing X.500 or LDAP (Lightweight Directory Access Protocol)format.Valid From:Provides the date and time when the certificate becomevalid.Valid To:Provides the date and time when the certificate is nolonger considered valid.
Public Key:Contains the public key of the key pair that is associatedwith the certificate.Signature algorithm:The algorithm used to create the signature.Signature:The actual signature to verify that it came from theissuer.X.
509 Certificates are important for information securitybecause, the certificate structure and authenticationprotocols defined in X.509 are used in a variety of contexts.For example: the X.509 certificates format is used in S/MIME,IP Security, and SSL/TLS.X.
509 was initially issued in 1988. The standard wassubsequently revised to address some of the securityconcerns; a revised recommendation was issued in 1993.Athird version was issued in 1995 and revised in 2000. X.509 isbased on the use of public-key cryptography and digitalsignatures.The standard does not dictate the use of a specific algorithmbut recommends RSA.
The digital signature scheme isassumed to require the use of the hash function. Again thestandards does not dictates a specific hash algorithm.The 1988 recommendation included the description of arecommended hash algorithm; this algorithm since beenshown to be insecure and was dropped from the 1993recommendation.
Certificate complexityA majority of Internet users, either business or social,currently lack the basic ability, knowledge and willingness toeffectively use cryptographic applications in a way that cansuccessfully deter imminent threats. The complexity of thistask is one of the weaknesses of public key cryptography. Alack of user friendliness and overall usability thus affectssolution efficacy. To deal with such issues, major softwarecompanies have included a bundle of root certificates, whichhave been audited for security purposes, into user browsersand operating systems.For the sake of user friendliness and interoperability, all webbrowsers and operating systems currently contain thisaudited Trusted Root Store of certificate issuing authorities.Certificates issued by these organizations, or theirsubordinate authorities, are transparently trusted by relyingentities. These certificates are automatically deemed assecure and trustworthy, as opposed to those issued by”unknown” issuers, which a relying party is warned not totrust.
This interprets into certificates published by allauthorities that have not been included in the root store. Thisapproach attempts to make the provision of system securityautomatic and transparent, and essentially removes from theend user the decision making process about thetrustworthiness of web entities.The X.509 standard was primarily designed to support theX.500 structure, but todays use cases canter around the web.Many features are of little or no relevance today. The X.
509specification suffers from being over-functional andunderspecified and the normative information is spreadacross many documents from different standardizationbodies. Several profiles were developed to solve this, butthese introduce interoperability issues and did not fix theproblem.Symmetric EncryptionSymmetric Encryption may also be referred to as sharedkey or shared secret encryption. In symmetric encryption, asingle key is used both to encrypt and decrypt traffic.Common symmetric encryption algorithmsinclude DES, 3DES, AES, and RC4. 3DES and AES are commonlyused in IPsec and other types of VPNs.
RC4 has seen widedeployment on wireless networks as the base encryption usedby WEP and WPA version 1.Symmetric encryption algorithms can be extremely fast, andtheir relatively low complexity allows for easy implementationin hardware. However, they require that all hosts participatingin the encryption have already been configured with thesecret key through some external means.Asymmetric EncryptionAsymmetric encryption is also known as Public keycryptography.
Asymmetric encryption differs from symmetricencryption primarily in that two keys are used: one forencryption and one for decryption. The most commonasymmetric encryption algorithm is RSA.Compared to symmetric encryption, asymmetric encryptionimposes a high computational burden, and tends to be muchslower. Thus, it isn’t typically employed to protect payloaddata. Instead, its major strength is its ability to establish asecure channel over a not secure medium (for example, theInternet).
This is accomplished by the exchange of public keys,which can only be used to encrypt data. The complementaryprivate key, which is never shared, is used to decrypt.Robust encryption solutions such as IPsec implement thestrengths of both symmetric and asymmetric encryption. First,two endpoints exchange public keys, which allows for thesetup of a slow but secure channel. Then the two hosts decideon and exchange shared symmetric encryption keys toconstruct much faster symmetric encryption channels fordata.HashingFinally, hashing is a form of cryptographic security whichdiffers from encryption. Whereas encryption is a two-stepprocess used to first encrypt and then decrypt a message,hashing condenses a message into an irreversible fixed-lengthvalue, or hash.
Two of the most common hashing algorithmsseen in networking are MD5 and SHA-1.Hashing is used only to verify data; the original messagecannot be retrieved from a hash. When used to authenticatesecure communications, a hash is typically the result of theoriginal message plus a secret key. Hashing algorithms are alsocommonly used without a secret key simply for error checking.You can use the md5sum and sha1sum utilities on a Linux orUNIX machine to experiment with hashing