Analyze the structure of X.509 Certificates.
Why are they important for information security using examples of your choice?
Describe how the various cryptographic functions (symmetric/asymmetric/hash
functions) are employed in X.509 Certificates.
The Public key cryptography depends upon a public
and private key pair for the encryption and decryption of content. These keys
are mathematically related, also the content that are encrypted by using one of
the keys can only be decrypted by using the other key. Here, the private key is
kept secret and the public key is fixed in a binary certificate. The
certificate is published to a database which can be reached by all of
authorized users. An X.509 certificate is basically a digital certificate which
uses the widely accepted international X.509 public key infrastructure (PKI)
standard. This gives us a verification that a public key belongs
to the user, service or computer identity which is contained within the
certificate. An X.509 certificate contains information about the identity to
which a certificate is issued and the identity that issued it. The Standard
information in an X.509 certificate includes the following components:
Version – This denotes which X.509 version applies
to the certificate it indicates what data the certificate includes.
Serial number – It is the identity which the
certificate must assign it a serial number for creating. This helps to distinguish
particular serial number from other certificates.
Algorithm information – It is the algorithm which is
used by the issuer for signing the certificate.
Issuer distinguished name – It is the name of the
entity who is issuing the certificate ( also known as a certificate
Validity period of the certificate – It is the start/end
date and time.
Subject distinguished name – This implies the name
of the identity which the certificate is issued to.
Subject public key information – It defines the
public key which is associated with the identity.
The X.509 public key infrastructure (PKI) standard gives
us the requirements for robust public key certificates. A certificate can be
defined as a signed data structure which binds a public key to a person,
organization or a computer. These Certificates are issued by the Certification Authorities (CAs).
The one who are responsible to secure communications for making the use of a
public key depends upon the Certification Authorities to verify the identities
of the individuals, systems, or entities before issuing the certificates. The
level of verification relies on the level of security that are required for the
transaction. Most of the times, the certificates referred by people to as
SSL/TLS (Secure Sockets Layer / Transport Layer Security) are the X.509
certificates. The first X.509 certificate was known to be issued in 1988 which
was referred as a part of the International Telecommunications Union’s
Telecommunication Standardization Sector (ITU-T) and also the X.500 Directory
Services Standard. The version 2 was added in two fields to support directory
access control in 1993. After that, version 3 was released in 1996. this
defines the formatting for the certificate extensions.
X.509 is used to define a mechanism through which
information can be made available to a third party in a secure way. But X.509
does not address the level of effort that is particularly needed to validate
the information in a certificate. It also does not define a meaning to that
information outside the Certification Authority’s own management acts. X.509
certificates are basically not human readable. Also, the user cannot see what
is being accepted. One has to take it for granted that it is correct, for
example: When a browser provides a readable conversion. But even the experts
deny the fact on basic X.509 issues. We can conclude that X.509 certificates provides
us a twilight zone on the most important issue with certification which has
been certified. X.509 certificates wants a Directory service, provided by a Certification
Authority which deals with the users and also it supplies the copies of the
certificates. despite the certificate is used off-line with the CA. This
denotes that a Certification Authority is needed for two reasons 1) for issuing
standard X.509 certificates for interpreting unambiguously and 2) to make it
possible for having validity which is verifiable by a user.
Any of the organizations that wants a signed
certificate requests through the certificate signing request (CSR)
in the X.509 system. It first generates a key pair.
It keeps the private key secret for using
it to sign the CSR. This includes any of the information which are used to
identify the applicant and also the applicant’s public key. It helps to verify
the signature of the CSR and the Distinguished Name (DN) for which the
certificate is used. The CA issues a certificate to bind a public key to a
particular name that is distinguished. An organization’s trusted root certificates is
distributed to all the employees which helps them to use the company’s PKI
system. The Browsers such as Firefox, Internet Explorer,
and Safari gives us a predetermined set
of root certificates that are pre-installed. This helps the SSL certificates from major
certificate authorities will work instantly. As a result, the browsers’
developers decide which CAs are trusted for the browsers’ users. For example,
Firefox gives us a CSV and/or HTML file including a list of Included Certification
Authority. X.509 comprises of the standards used for certificate revocation list (CRL)
implementations which is a neglected aspect of PKI systems. The IETF-approved
way to check a certificate’s validity which is the Online Certificate Status Protocol (OCSP).
The various cryptographic functions
(symmetric/asymmetric/hash functions) which are employed in X.509 Certificates
are described as follows:
Symmetric encryption can
be defined as the shared key or shared secret encryption. A
single key is used both for the encryption and decryption of the traffic in
symmetric encryption. The most common symmetric encryption algorithms consists
of DES, 3DES, AES,
3DES and AES are used in IPsec and the other types of VPNs. RC4 is seen on
world wide deployment on wireless networks using it as the base encryption which
is preferred by WEP and WPA version 1. The Symmetric encryption algorithms are
fast, and their low complexity helps for the easy implementation in hardware.
However, these encryptions require all hosts which participates in the
encryption. These hosts have already been configured with the secret key with
the help of some external means. A key that is used for symmetric encryption is
a string of data fed to the encrypter for scrambling the data and making it
Asymmetric encryption in other words is also known
as the public-key
cryptography. It is differentiated from symmetric
encryption in that two keys are used: one key is for encryption and the other
is for decryption. The common asymmetric encryption algorithm used is RSA. In comparison
to the symmetric encryption, asymmetric encryption gives us a high
computational burden and is much slower. Hence, it is not typically used to
protect the payload data. The Robust encryption solutions such as IPsec gives
the strengths of both symmetric as well as the asymmetric encryption. At first
the two endpoints exchange each other’s public keys. This allows for the setup
of a slow but a secure channel. After that the two hosts decide and exchange each
other’s shared symmetric encryption keys for constructing much faster symmetric
encryption channels of the data. The public key just public which can and
should be published. That’s is why the asymmetric encryption is also known
as public-key cryptography. However, the private key should be kept private and
should be protected like the key used for symmetric encryption. Its
advantage is it is easier because only one party ever needs access to it and
the party that needs to decrypt the messages.
Hashing is one of the forms of cryptographic
security and it differs from encryption while encryption is a two-step process which
is used in first encryption and then decryption of a message. Hence, in simple
words hashing condenses a message into an irreversible fixed-length value known
as hash. The two most common hashing algorithms which is seen in networking
are MD5 and SHA-1.
Hashing is used for verifying data as the original message cannot be retrieved
from a hash. For using to authenticate secure communications, a hash is the
result of the original message and also a secret key. Hashing algorithms are
also used without a secret key for error checking. One of the most important
use of hashing is the protection of passwords. If a system stores a
password hash instead of a password, this can check an incoming password by
hashing that and seeing if the hashes match.