SSL Public Key Infrastructure
· PKI (Public Key Infrastructure) is a set of policies and procedures to establish a secure information exchange between devices.
· SSL provides confidentiality, authentication and data integration in a PKI.
Confidentiality
· Confidentiality means that unintended users cannot view the data.
· This can be achieved by encrypting the data using one or more symmetric keys that are known only to the end points.
· Symmetric key is usually generated by one endpoint and transferred to the other endpoint. So, it must be securely transferred to the other endpoint.
· Secure transmission of symmetric key is generally achieved by two mechanisms, key exchange or key agreement.
· Key Exchange
§ In key exchange, one device generated the symmetric key and then encrypts it using an asymmetric encryption scheme before transferring it to the other end.
§ Asymmetric encryption requires both the devices to have a public and private key.
§ The two keys are related to each other, data encrypted by a public key can be decrypted only by the corresponding private key and vice versa.
§ The most commonly used key exchange algorithm is Rivest Shamir Adelman (RSA) algorithm.
§ In SSL, the sender encrypts the symmetric keys with the public key of the receiver. This ensures that the private key of the receiver is the only key that can decrypt the transmission.
· Key Agreement
§ In key agreement, to two sides involved in the data transmission cooperate to generate a symmetric (shared) key.
§ The most commonly used key agreement algorithm is Diffie-Hellman algorithm. DH algorithm depends on certain parameters to generate the symmetric key.
§ Some people exchange the symmetric keys over phone or mail, which is not advisable.
Authentication
· Authentication is necessary for one or more devices involved in the data exchange to verify that the party to whom they are talking is really who they claim to be.
· SSL facilitates this authentication using Digital Certificates.
· Digital certificates are a form of digital identification to prove the identity of the client to the server and vice versa.
· A Certificate Authority (CA) issues digital certificates.
· A certificate ensures that the identification information is correct, and that the public-key actually belongs to the client or server.
· Upon receiving a certificate from a server, a client connects to the CA and verifies the validity of the certificate using issuer’s public key.
· This ensures that the certificate was actually issued by the CA.
· A certificate remains valid until it is expired or terminated by the CA.
· In short, “A” trusts “B” and “B” trusts “C”, therefore “A” trusts “C”.
Message Integrity
· Message integrity is a mean of assuring the recipient of the message that the content of the message have not be tampered during the transit.
· SSL achieves this by applying a message digest to the data before transmitting it.
· A message digest is a function that takes an arbitrary length message and outputs a fixed length string that is characteristics of the message.
· It is extremely difficult to the reverse a digest message.
· SSL supports two different message digest algorithms: MD5 (Message Digest 5) and SHA (Secure Hash Algorithm).
Great overview. One of my friend suggested me to visit your blog to learn all about public key infrastructure. I am feeling really lucky as I understood so much from this article.
ReplyDeletepublic key infrastructure