Cryptography Overview

A certificate connects an entity to a public key. For instance, it can list an individual’s name, address, and public key. When people want to use a person’s public key, they look up the certificate associated with that person’s name and address. A certificate can contain a wide variety of information on its owner, such as the person’s organization or job title. This helps differentiate between people who have the same name. The certificate can also contain information on when it was issued or when the public key expires.

For a certificate system to work, there need to be individuals or organizations that issue and maintain the certificates. These are known as a certificate authorities, or CAs. An individual can request a certificate by presenting a CA with a public key and a name and any other identifying information. It is then the CA’s responsibility to verify that the entity making the request is indeed the person identified by the information or is authorized to be associated with that key. The level of trust users place in a CA will depend on the level of verification it performs.

When you ask for an individual’s public key, the CA sends the certificate and signs it with the digest of the certificate encrypted with the CA’s private key. To verify that the certificate is genuine, you must digest the certificate and decrypt the signature using the CA’s public key. Compare the two results: if they are the same, you have a proper certificate.

If the CA you deal with does not have a certificate for the individual in question, that CA can communicate with another CA that might have the right certificate. In fact, to find a particular certificate, a CA may have to go through a chain of CAs until it finds one that possesses the desired certificate.

Names that uniquely distinguish users are necessary for digital certificates to be of real use. The CCITT X.500 series of documents offer more discussion regarding naming conventions and related topics.

Diffie-Hellman Public Key Agreement

The Diffie-Hellman Public Key Agreement, invented by Whitfield Diffie and Martin Hellman in 1976, was the first true public-key algorithm. It provides a method for key agreement; that is, it allows two parties to each compute the same secret key without exchanging secret information. Diffie-Hellman key agreement does not provide encryption or authentication.

The Algorithm

The Diffie-Hellman algorithm is made up of three parts (see Figure 3-12 on page 63):

Parameter Generation

6 2

R S A B S A F E C r y p t o - C D e v e l o p e r ’s G u i d e

Page 84
Image 84
RSA Security 5.2.2 manual Diffie-Hellman Public Key Agreement, Algorithm