Be aware of the following facts about encryption and certificates:
- A cipher or algorithm is the process or formula used to encrypt a message.
- A key is a variable in a cipher used to encrypt or decrypt a message.
- Encryption uses one of the following methods:
|Symmetric Encryption||With symmetric (secret key) encryption, a single key is used both to encrypt and decrypt data.
|Asymmetric Encryption (PKI)||Asymmetric encryption requires a pair of associated, but not identical keys (the key pair), generated by a cryptographic service provider (CSP).
With asymmetric encryption, data encrypted with one key can only be unencrypted using the other key.
- A certificate is a digitally-signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. Certificates provide proof of identity and/or encryption for the following uses:
- Web user authentication
- Web server authentication
- Secure e-mail
- Transport layer security
- Code signing
- Certification hierarchy
- Typical information in a certificate includes:
- The subject’s public key value (the subject is the entity that receives the certificate)
- The subject’s identifier information (name and e-mail address, for example)
- The length of time for which the certificate is considered valid (i.e., the validity period)
- Issuer identifier information (the issuer is the certification authority)
- The issuer’s digital signature (this verifies the validity of the binding between the subject’s public key and the subject’s identifier information)
- A Public Key Infrastructure (PKI) is a system that provides for a trusted third party to vouch for user identities and allows binding of public keys to subjects.
- A PKI is made up of Certification Authorities (CAs), also called certificate authorities. A CA is an entity trusted to issue, store, and revoke certificates. A CA:
- Accepts certificate requests.
- Verifies the information provided by the requester.
- Creates and digitally signs the certificate.
- Issues the certificate to the requester.
- Revokes certificates.
- Publishes a list of revoked certificates known as the certificate revocation list (CRL).
- A certification hierarchy consists of a root CA and can include one or more subordinates that are in a parent-child relationship with the root. If a root authority is trusted, all the subordinate CAs are also trusted.
- To issue certificates, each CA must first have its own certificate, verifying its identity.
- The root CA generates its own certificate.
- Subordinate CAs obtain their CA certificates from the root CA or another subordinate CA. This authorizes the CA to issue certificates to other entities and to be trusted.
- You can obtain certificates from a public CA (such as Verisign), or install your own PKI and CAs to issue certificates to users and computers in your organization. Note: If you want a certificate to be trusted by users outside of your organization, obtain a certificate from a third-party CA.