Microsoft Windows and Security Certificates
There are two main types of encryption algorithms: symmetric and asymmetric. Symmetric algorithms use the same key to encrypt and decrypt data. Asymmetric algorithms use two related keys—one key to encrypt data and another key to decrypt data. In general, symmetric algorithms are faster than asymmetric algorithms of the same strength. For large amounts of data or frequent encryption/decryption cycles, symmetric algorithms are preferable to asymmetric algorithms because of the faster execution time.
The main problem with using symmetric algorithms in distributed applications, such as web applications or VPNs, is getting the same key to both server and client. If you can’t get the encryption key to a client in a secure manner, then you can’t create a secure connection. One approach to the problem is to only use asymmetric encryption. Asymmetric encryption is slower and requires substantial overhead to maintain connections.
A novel solution is to use asymmetric encryption to exchange a symmetric key. The receiver receives a message containing the symmetric encryption key that has been encrypted using the sender’s private key. The receiver can decrypt the message with the sender’s public key. Once the key is properly exchanged, all subsequent communication can use the faster symmetric encryption. One problem with this approach is ensuring there is trust when negotiating and exchanging encryption keys during connection setup. You have to trust that the sender is who he or she claims to be and not an imposter.
A security certificate, also called a digital certificate, is used to deliver a trusted public key that can be used with assurance it belongs to the stated owner. In other words, a digital certificate is used to authenticate the identity of the certificate’s owner to others. A security certificate is a document that contains identity information and a public key, along with other descriptive information. The document is then encrypted with the private key of a trusted entity. A digital certificate can be decrypted using the public key of the trusted entity—if it came from the trusted entity. Once successfully decrypted, the document will contain the public key from a source that can be trusted—at least you can trust that the key came from the stated source. The most commonly used format for digital certificates is defined by the International Telecommunications Union (ITU-T) and X.509 standard. TABLE 4-3 shows the most common types of digital certificates and how each one is used.
TABLE 4-3 Main Types of Digital Certificates |
|
|---|---|
| CERTIFICATE TYPE | DESCRIPTION |
| TLS/SSL Server certificate | A certificate presented by a TLS/SSL server to authenticate that server during a TLS/SSL connection setup. |
| TLS/SSL Client certificate | A certificate presented by a TLS/SSL client during TLS/SSL connection setup when bidirectional (server and client) authentication is required. |
| Email certificate | The S/MIME secure email protocol uses an email certificate for the message recipient to acquire the recipient’s public key and uses it to encrypt email messages for that recipient. |
| Code Signing certificate | A certificate used to validate signatures of compiled programs used to detect any unauthorized changes made after signing. |
| Qualified certificate | A certificate that identifies an individual and is commonly used with electronic signatures. |
| Self-signed certificate | A certificate signed by the issuer. When a certificate is not issued by a trusted authority, the value of the self-signed certificate relies on the trust a certificate user has for the issuer. Generally regarded as untrusted, self-signed certificates are sometimes called snake oil certificates. |
© Jones & Bartlett Learning. |
|