Re: Help! I'm trying to understand PKI - especially CA's role
From: Wimbo (wimbo_online_at__REMOVETHIS_hotmail.com)
Date: 10/08/04
- Next message: Anne & Lynn Wheeler: "Re: Help! I'm trying to understand PKI - especially CA's role"
- Previous message: walterbyrd: "Help! I'm trying to understand PKI - especially CA's role"
- In reply to: walterbyrd: "Help! I'm trying to understand PKI - especially CA's role"
- Next in thread: Anne & Lynn Wheeler: "Re: Help! I'm trying to understand PKI - especially CA's role"
- Reply: Anne & Lynn Wheeler: "Re: Help! I'm trying to understand PKI - especially CA's role"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 08 Oct 2004 18:41:39 +0200
walterbyrd wrote:
> Below is what I understand so far. I know that at some point, the
> sender's public key is sent to a CA, and the CA sends back a digital
> certificate. Then the sender send the digital certificate to the
> reciever.
>
> But I'm not sure where that takes place. For example, does the sender
> create the digital signiture, or does the CA?
>
> ------------------------
>
> Process to send a message
> - start with clear test message
> - sender uses hash function is used to make Message Digest (MD)
> - sender uses sender's private key to encrypt MD
> - this creates a Digital Signiture
> - sender encrypts the message with recivers public key
> - encrypted MD (Digital Signiture) is sent with the encrypted message
> - reciever uses recievers private key to decrypt message
> - this verifies confidentiality
> - only reciever's private key can open message
> - reciever uses sender's public key to decrypt MD
> - this verifies authenticity
> - only sender's private key could have encrypted the MD
Basic operations:
Alice send her public key to a CA for certification
The CA verifies the credentials and signs the public key with the private
key of the CA and sends it back to Alice. (The verification credentials
depend on the requested certificate class. Class 1 certificates are only
validated by e.g. a valid credit card number. The higher the class, the
more personal it gets. With a class 3 certificate the CA knows for sure
that you are the person you say you are.)
Most CA's have the possiblitiy of storing the certificate in a public
accessible LDAP, so that the rest of the world has access to the users
certificate (for encrypting messages or to verifiy digital signatures).
If Alice wants to encrypt a message to Bob she needs to get the certificate
(public key) of Bob, this can be done by retrieving the certificate from
the LDAP (mentioned earlier) or by requesting a signed e-mail from Bob.
Microsoft e-mail application send the certificate along with digitally
signed messages. So that the receipient can validate the signature with the
attached certificate. The same certificate can be used to encrypt messages
in the future.
The only challenge is to know for sure that the certificate belongs to Bob
and not to Mr Man-in-the-Middle. This is possible with Class 1
certificates, but is nearly impossible for class 3 certificates.
If Alice wants to make sure that the message doesn't change during transit,
she signes the message with her private key. Bob can verify this by using
the certificate (public key) of Alice.
So the only thing a CA does is create certificates by signing public keys.
After that the CA is only used to verifiy if a certificate has been revoked
(CRL checking). The CA will be necessary for renewing a certificate after
one year (2 year certificates are becoming more and more common nowadays).
Wimbo
- Next message: Anne & Lynn Wheeler: "Re: Help! I'm trying to understand PKI - especially CA's role"
- Previous message: walterbyrd: "Help! I'm trying to understand PKI - especially CA's role"
- In reply to: walterbyrd: "Help! I'm trying to understand PKI - especially CA's role"
- Next in thread: Anne & Lynn Wheeler: "Re: Help! I'm trying to understand PKI - especially CA's role"
- Reply: Anne & Lynn Wheeler: "Re: Help! I'm trying to understand PKI - especially CA's role"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
