Public Key Security
Internal
Overview
Asymmetric Cryptography
Asymmetric cryptography or public key cryptography is a cryptographic system that uses pairs of keys: public keys, which may be disseminated publicly and widely, and private keys that are known only to the owner, to provide authentication and encryption.
Authentication
The authentication function is provided by using the public key of the counterpart to verify that a message was indeed signed with the counterpart's private key. This mechanism works because the private key that signed the message cannot belong to anyone else than the counterpart whose public key was used for verification. This proof is considered sufficient to insure that the counterpart is who it is claiming to be.
Encryption
The encryption function is provided by using the public key of the recipient to encrypt the message. The message thus encrypted can only be decrypted by the corresponding private key, available only to the recipient. Nobody else can decrypt the message.
Public Key Infrastructure (PKI)
A public key infrastructure (PKI) is a set of roles, policies and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public key cryptography. The components of the architecture are aimed at binding public keys with respective identities of entities owning those public keys, such as people or organizations. The binding is established through a process of registration and issuance of certificates at and by a certificate authority (CA).
Certificate Authority (CA)
OpenSSL can be used to implement a simple CA.
A certificate authority digitally sings public keys given by its users and generates signed digitally certificates. Because the CA sings the keys with its own private key, the trust in the user public key relies on one's trust in the validity of the CA's key.
Registration Authority (RA)
The registration authority (RA) is responsible for accepting requests for certificates and authenticating the entity making the request.
Validation Authority (VA)
Key Pair
A key pair consists in two separate but matching cryptographic keys: a public key and a private key.
Public Key
A public key is widely disseminated, shared with any party and used to encrypt data. Data such encrypted can be only decrypted by matching private key. The public key can also be used to verify a signature - data encrypted with a specific private key can only be decrypted with the matching public key.
Private Key
The private key is kept secret, and it used to decrypt data that was encrypted by the matching public key. Content encrypted with a specific public key becomes opaque to everyone except the owner of the corresponding private key. The private key can be used to sign data - content such encrypted can be decrypted by the widely available - and presumably trusted - public key, proving that the signer of the content is indeed the owner of the private key.
Certificate
A certificate is a digitally signed statement vouching for the identity and the public key of an entity.
The certificate contains the identity of the server (its URL), the public key of the server and a digital signature that validates the certificate.
Certificates can be either self-signed or issued by a Certification Authority (CA).
Self-Signed Certificates uses its own private key to sign itself, and the signature is unverified - not connected to any chain of trust. This makes them inherently less secure.
An Authority-Signed Certificate is a certificate that is used to a party by the certification authority (Verisign, CAcert, RSA, etc.). The certification authority verifies the authenticity of the holder of the certificate.
{{{
Enter keystore password: test123
Keystore type: jks Keystore provider: SUN
Your keystore contains 3 entries
twiddle-2, Dec 9, 2009, keyEntry, Certificate fingerprint (MD5): F0:EE:FD:F8:4C:C6:B7:9B:6F:C0:23:64:C1:25:F3:67 twiddle-1, Dec 9, 2009, keyEntry, Certificate fingerprint (MD5): 8C:67:CB:CA:A7:A5:C0:BB:D8:F0:83:0E:59:27:56:02 omega, Dec 9, 2009, trustedCertEntry, Certificate fingerprint (MD5): 2A:E2:78:C6:1D:BF:85:47:6C:05:E0:44:9B:74:D1:D5
}}}
X.509
X.509 is a ITU-T standard for a public key infrastructure (PKI). It specifies the format of certificates. For more details, see:
SSL/TLS
Transport Layer Security (TLS) is the successor of Secure Sockets Layer (SSL). They are both cryptographic protocols designed to provide communications security over a computer network. The client/server pair use a symmetric key to encrypt the communication. The symmetric key is unique and generated for each connection, as part of a protocol exchange that involves pair's public and private keys, using asymmetric cryptography. For more details, see: