Digital Signatures and PKI Flashcards
What is a digital signature?
A digital signature is a certificate that binds a public key to an entity.
Who verifies a digital signature?
The certificate that is verified by certificate authorities or trusted third parties.
What properties must digital certificates have?
Unforgeable
Authentic
Unalterable
Non-reusable
What does a digital certificate contain to preserve its required properties
A message digest (Unalterable)
Encryption via the private key which is unencrypted using the public key (Authentic & Unforgeable)
Label to show identity of the sender (Authentic)
Timestamp for non-repudiation
What is the process that a sender goes through when sending a digital signature?
Hash the message Encrypt using private key Add expiration dates, serial numbers etc Authenticate message Send
What is the process that a receiver goes through when receiving a digital signature?
Separate digital signature from the message
Decrypt the signature using the sender’s public key
Hash the message and compare the decrypted hash
How is confidentiality of the message preserved when using digital signatures?
A random key can be encrypted using the receiver’s public key and sent with the message
What is PGP?
The Pretty Good Privacy Protocol allows common users access to encryption. Uses two key concepts:
1) A key is only valid iff it’s owned by the person who claims to own it.
2) Trust is a mechanism to validate a key.
How are certificates issued in PGP?
Certificates are self-signed, and certificates that you trust are signed by you. There is no high-level authority
What are the four levels of trust in PGP?
Implicit trust
Full trust
Marginal trust
Untrusted
What is implicit trust?
Reserved for only your own keys. If the keyring contains a private key that signed a public key then you trust that public key
What is full trust?
Keys that are provided by full trust user are trusted without extra verification.
What is marginal trust?
Keys provided by this user need to be vouched by at least one other user in the network.
How are untrusted users treated in PGP?
Keys from this user are disregarded
What is a PKI?
Set of policies, procedures and products to aid in trusted communications
How does PKI allow for pervasive security infrastructure?
By allowing for trusted communications over an untrusted public network
What happens to trust when using PKI?
Trust is moved to authorities in the network from individuals. Users must trust that the chain is integral.
How are messages authenticated and kept confidential?
Messages are authenticated by using digital signatures and can be kept confidential by using a session key.
What are the five stages of PKI certificates go through?
Construction Issuance Signing Confirmation/Denial Invalidation
What do certificate authorities do?
Trustworthy roots of the network that certify user identity through registration, binding public keys to identity.
All certificates in the network depend on the root nodes.
What is the certification revocation list?
List of certificates that have been revoked in the network. Suffers from propogation delay.
What do certificates consist of?
Public key
Name of owner
Hash of name & key
What is X.509?
Standardized format for the issuing of certificates.
What is contained in an X.509 certificate?
Serial Number: Used to uniquely identify the certificate.
Subject: The person, or entity identified.
Signature Algorithm: The algorithm used to create the signature.
Signature: The actual signature to verify that it came from the issuer.
Issuer: The entity that verified the information and issued the certificate.
Valid-From
Valid-To
Key-Usage: Purpose of the public key (e.g. encipherment, signature, certificate signing…).
Public Key: The public key.
Thumbprint Algorithm: The algorithm used to hash the public key.
Thumbprint: The hash itself, used as an abbreviated form of the public key
What are some of Schneir’s identified risks?
How secure is the verifying computer
Which John Robinson is he
How was the certificate holder identified
