Cryptography Reference
In-Depth Information
CHAPTER
5
Creating a Network of Trust
Using X.509 Certifi cates
Chapters 3 and 4 discussed public and private keypairs and reviewed their
importance to secure communications over insecure channels. Until now, where
these keys come from and how they're exchanged has been mostly glossed over.
Where the keys come from is the topic of this chapter. This chapter also includes
some further discussion on authentication.
You're probably familiar with the term
certifi cate
, even if you're fuzzy on the
details. You've undoubtedly visited web sites that have reported errors such as
“this website's certifi cate is no longer valid” or “this website's host name does not
match its certifi cate's host name” or “this certifi cate was not signed by a trusted
CA.” If you're like most Internet users, you generally ignore these warnings,
although in some cases they can indicate something important.
Fundamentally, the certifi cate is a holder for a public key. Although it contains
a lot more information about the subject of the public key — in the case of web
sites, that would be the DNS name of the site which has the corresponding pri-
vate key — the primary purpose of the certifi cate is to present the user agent
with a public key that should then be used to encrypt a symmetric key that is
subsequently used to protect the remainder of the connection's traffi c.
At this point, you may have at least a hazy idea of how most of the concepts
of the past three chapters can be put together to establish a secure communica-
tions link: First, a symmetric algorithm and key is chosen, and then the key is
exchanged using public-key techniques. Finally, everything is encrypted using
the secret symmetric key and authenticated using an HMAC with another secret
Search WWH ::
Custom Search