Title: Digital Identification and Verification
1Digital Identificationand Verification
2Outline
- Crypto Basics
- Digital Certificates
- Online Certificate Status Protocol (OCSP)
- Practical Applications
3Crypto Basics (1)
- Cryptography
- The study or the application of the techniques
of secret writing, especially code and cipher
systems. - Key Concepts
- Encryption/Decryption
- Signing/Verifying
4Crypto Basics (2)
- Two Types
- Symmetric Key Algorithms (DES)
- One Key shared by both parties which is used for
both encryption and decryption. - Public Key Algorithms (RSA, SHA-1, MD5)
- Four keys, two sets of public/private key pairs.
5Crypto Basics (3)
Public/Private Key Pairs Each party has a public
and private key. The keys have some complicated
mathematical properties where what one key
encrypts, only the other can decrypt. One key is
chosen as the private key and is securely stored,
the other key is given to the public.
6Crypto Basics (4)
- Digital Signature Requirements
- The receiver can verify the identity of the
sender. - The sender cannot repudiate the message.
- The receiver cannot create the message.
- Use private key to sign and public key to verify.
- This is the core of E-commerce!
7Digital Certificates
- X 509 Certificates (RFC 2459)
- Bind an Identity to an public/private key pair.
- Issued by a trusted third party.
- Signed by Issuers key pair.
- Contain the public key of the subjects key pair.
- Contain validity period and Serial Number.
- Contain Status Good or Revoked
8Online Certificate Status Protocol
- Defined in RFC 2560, June 1999
- Used to get up to date status
- Returns Good, Revoked or Unknown
- Can run over HTTP, SMTP and Other Protocols
9OCSP Request
- Contains
- Protocol Version
- Service Request
- Certificate Identifier
- Optional Extensions
10OCSP Response
- Signed by OCSP Responder
- Returns definitive certificate status response
- Timestamp
11Sample Applications (1)
- SSL
- Netscape Navigator and Internet Explorer already
- support X 509 certificates.
- The browsers can be configured to use the
- Secure Socket Layer protocol to encrypt data sent
- to and from web servers.
-
12Sample Applications (2)
Securing Email Netscape Messenger and Microsoft
Outlook already support X 509 certificates
also. These email clients can be used to encrypt
and sign email messages. Plugins are available
for Netscape Communicator, Microsoft Outlook,
Internet Explorer, Internet Information Server
and the Apache web Server to handle OCSP.
13Additional Resources
- www.rsa.com for all your encryption needs
- ietf.org for standards