Kerberos also provides a single
About Certificates, SSL, and Public Key Infrastructure
Mac OS X Server supports services that use Secure Sockets Layer (SSL) to ensure encrypted data transfer. It uses a Public Key Infrastructure (PKI) system to generate and maintain certificates for use with
PKI systems allow the two parties in a data transaction to be authenticated to each other and to use encryption keys and other information in identity certificates to encrypt and decrypt messages traveling between them.
PKI enables multiple communicating parties to establish confidentiality, message integrity, and message source authentication without exchanging secret information in advance.
SSL technology relies on a PKI system for secure data transmission and user authentication. It creates an initial secure communication channel to negotiate a faster, secret key transmission. Mac OS X Server uses SSL to provide encrypted data transmission for mail, web, and directory services.
The following sections contain more background information about key aspects of PKI.
Public and Private Keys
Within a PKI, two digital keys are created: the public key and the private key.
The private key isn’t distributed to anyone and is often encrypted by a passphrase. The public key is distributed to other communicating parties.
Basic key capabilities can be summed up as follows:
Key type | Capabilities | |
Public | ÂÂ | Can encrypt messages that can only by |
|
| decrypted by the holder of the corresponding |
|
| Private key. |
| ÂÂ | Can verify the signature on a message to |
|
| ensure that it is coming from a Private key. |
|
|
|
Private | ÂÂ | Can digitally sign a message or certificate, |
|
| claiming authenticity. |
| ÂÂ | Can decrypt messages that were encrypted |
|
| with the Public key. |
| ÂÂ | Can encrypt messages that can only be |
|
| decrypted by the private key. |
|
|
|
Chapter 4 Enhancing Security
59
