IBM 10 SP1 EAL4 manual Message digest, Message Authentication Code MAC, SSL architecture

5.12.1.1.2Message digest

A message digest is text in the form of a single string of digits created with a one-way hash function. One- way hash functions are algorithms that transform a message of arbitrary length into a fixed length tag called a message digest.

A good hash function can detect even a small change in the original message to generate a different message digest. The hash function is one-way; it is not possible to deduce the original message from its message digest.

Message digests are used to provide assurance of message integrity. The sender generates a message digest for each of the messages being sent. Each message is transmitted, along with its message digest. The receiver separates the message digest from the message, generates a new message digest from the received message using the same algorithm used by the sender, and compares the received message digest with the newly generated one.

If the two message digests are different, then the message was altered on the way. If the two message digests are identical, then the receiver can be assured that the message’s integrity was not compromised during transmission.

5.12.1.1.3Message Authentication Code (MAC)

A message authentication code (MAC) is a type of message digest that is created by encrypting the output of a one-way hash function with a symmetric key.

5.12.1.1.4Digital certificates and certificate authority

Cryptography with an asymmetric key depends on public keys being authentic. If two people are exchanging their public keys over an untrusted network, then that process introduces a security vulnerability. Intruders can intercept messages between them, replace their public keys with their own public keys, and monitor their network traffic. The solution for this vulnerability is the digital certificate. A digital certificate is a file that ties an identity to the associated public key.

This association of identity to a public key is validated by a trusted third party known as the certificate authority. The certificate authority signs the digital certificate with its private key. In addition to a public key and an identity, a digital certificate contains the date of issue and expiration date. OpenSSL supports the international standard, ISO X.509, for digital certificates.

5.12.1.2SSL architecture

SSL occupies a space between the transport and application layer in the network stack, and consists of two layers. Both layers use services provided by the layer below them to provide functionality to the layers above them. The lower layer consists of the SSL Record Protocol, which uses symmetric key encryption to provide confidentiality to data communications over a reliable, connection-oriented, transport protocol TCP. The upper layer of SSL consists of the SSL Handshake Protocol, the SSL Change Cipher Spec Protocol, and the SSL Alert Protocol.

The SSL Handshake Protocol is used by the client and server to authenticate each other, and to agree on encryption and hash algorithms to be used by the SSL Record Protocol. The authentication method supported by SSL in the evaluated configuration is client and server authentication using X.509 certificates.

The SSL Change Cipher Spec changes the Cipher suite of encryption and hash algorithms used by the connection. The SSL Alert Protocol reports SSL-related errors to communicating peers.

Figure 5-90depicts different SSL protocols and their relative positions in the network stack.

185