iTP Secure WebServer System Administrator's Guide (iTPWebSvr 5.1+)
Security Concepts
iTP Secure WebServer System Administrator’s Guide—522659-001
D-5
Managing Key Certificates
Digest Functions
Generating a digital signature by encrypting an entire message is also computationally
expensive. To speed things up, many signature systems first compute a digest of a
message. A digest is a string of bits (128 bits, for example) constructed such that it
would be highly unlikely for any two digests to be identical. It would also be essentially
impossible to recreate a message on the basis of its digest or to find another message
with the same digest.
After generating a digest from his message, Romeo could sign this digest instead of the
entire message. Upon receiving Romeo’s message and its accompanying digest, Juliet
could verify Romeo’s signature by independently computing the digest and verifying the
signature.
Authentication
For authentication, public key systems work as follows: Romeo and Juliet want to make
sure the messages they receive are in fact from each other and not from someone else,
Juliet’s father, for example. When Juliet generates a message to Romeo, she performs a
special computation involving both her private key and the plaintext of her message. She
attaches the result of this computation, called her digital signature, to her message and
sends it (encrypted with Romeo’s public key) to Romeo.
On the other end, after decrypting Juliet’s message, Romeo wants to make sure it is
really from Juliet. To verify the authenticity of Juliet’s message, Romeo performs a
special computation that involves Juliet’s message along with her digital signature and
her public key. If this computation produces the expected result, Romeo knows Juliet’s
digital signature is genuine; if it does not produce the expected result, Romeo knows he
should ignore the message.
Managing Key Certificates
Certificates are digital documents attesting to the binding of a public key to an
individual or other entity. They allow verification of the claim that a given public key
does in fact belong to a given individual. Certificates help prevent an imposter from
using a key to impersonate someone else.
In their simplest form, certificates contain a public key and a name. As commonly used,
they also contain the expiration date of the key, the name of the Certificate Authority
(CA) that issued the certificate, the serial number of the certificate, and perhaps other
information. Most important, certificates contain the digital signature of the certificate
issuer.
A CA issues the certificate and signs it with its private key.