Security in Computer Networks

8.5.2 Public Key Certification

Home | Introduction | 8.1 What Is Network Security? | 8.2 Principles of Cryptography | 8.3 Authentication | 8.4 Integrity | 8.5 Key Distribution and Certification | 8.6 Access Control: Firewalls | 8.7 Attacks and Countermeasures | 8.8 Security in Many Layers: Case Studies

One of the principal features of public key cryptography is that it is possible for ftwo entities to exchange secret messages without having to exchange secret keys.
 
With public key cryptograhpy, the communicating entities still have to exchange public keys.  A user can make its public key publicly available in many ways, for example, by posting the key on the user's personal Web page, by placing the key in a public key server, or by sending the key to a correspondent by e-mail.  A Web commerce site can plae its public key on its server in a manner such that browsers automatically download the public key when connecting to the site.  Routers can place their public keys on public key servers, therby allowing other networks entities to retrieve them.

kurose_320719_c08f20.gif

Binding a public key to a particular entity is typically done by a CA, whose job is to validate identities and issue certificaties.  A CS has the following roles.
 
  1. A CA verifies that an entity is who it says it is.  There are no mandated procedures for how certification is done.  WHen dealing with a CA, one must trust the CA to have performetd a suitably rigorous identity verification.
  2. Once the CA verifies the identity of the entity, the CA creates a certificate that binds the public key of the entity to the identity.  The certificate contains the public key and globally unique identifying information about the owner of the public key.
 
The International Telecommunication Union (ITU) and the IETF have developed standards for certificates.  ITU X.509 [ITU 1993] specifies an authentication service as well as a specific syntax for certificates.  [RFC 1422] describes CA-based hey management for use with secure Internet e-mail.  It is compatible with X.509 but beyond X.509 by establishing procedures and convertions for a key management architecture.
 
With the recent boom in e-commerce and the consequent widespread need for secure transactions, there has been increased interst in certificate authorities.

kurose_320719_c08f21.gif