iTP Secure WebServer System Administrator's Guide (iTPWebSvr 6.0+)
Security Concepts
iTP Secure WebServer System Administrator’s Guide—523346-002
D-5
Managing Key Certificates
use her private key to decrypt Romeo’s session key, and then use the session key to
decrypt Romeo’s message. The net result is more steps, but less time.
Digest Functions
Generating a digital signature by encrypting an entire message is also computationally
expensive. To speed things up, many signature systems first compute a digest of a
message. A digest is a string of bits (128 bits, for example) constructed such that it
would be highly unlikely for any two digests to be identical. It would also be essentially
impossible to recreate a message on the basis of its digest or to find another message
with the same digest.
After generating a digest from his message, Romeo could sign this digest instead of
the entire message. Upon receiving Romeo’s message and its accompanying digest,
Juliet could verify Romeo’s signature by independently computing the digest and
verifying the signature.
Authentication
For authentication, public key systems work as follows: Romeo and Juliet want to
make sure the messages they receive are in fact from each other and not from
someone else, Juliet’s father, for example. When Juliet generates a message to
Romeo, she performs a special computation involving both her private key and the
plaintext of her message. She attaches the result of this computation, called her digital
signature, to her message and sends it (encrypted with Romeo’s public key) to Romeo.
On the other end, after decrypting Juliet’s message, Romeo wants to make sure it is
really from Juliet. To verify the authenticity of Juliet’s message, Romeo performs a
special computation that involves Juliet’s message along with her digital signature and
her public key. If this computation produces the expected result, Romeo knows Juliet’s
digital signature is genuine; if it does not produce the expected result, Romeo knows
he should ignore the message.
Managing Key Certificates
Certificates are digital documents attesting to the binding of a public key to an
individual or other entity. They allow verification of the claim that a given public key
does in fact belong to a given individual. Certificates help prevent an imposter from
using a key to impersonate someone else.
In their simplest form, certificates contain a public key and a name. As commonly used,
they also contain the expiration date of the key, the name of the Certificate Authority
(CA) that issued the certificate, the serial number of the certificate, and perhaps other
information. Most important, certificates contain the digital signature of the certificate
issuer.
A CA issues the certificate and signs it with its private key.