Active Directory 2008: Certificate Services…

Certificate Facts

Be aware of the following facts about encryption and certificates:

  • A      cipher or algorithm is the process or formula used to      encrypt a message.
  • A      key is a variable in a cipher used to encrypt or decrypt a message.
  • Encryption      uses one of the following methods:
Method Description
Symmetric Encryption With symmetric   (secret key) encryption, a single key is used both to encrypt and decrypt   data.

  • The sender and the recipient of the message must both have   the key for the system to work.
  • This creates a problem of key distribution. The key must   be sent or shared before communication begins, making symmetric encryption an   insecure encryption method.
Asymmetric Encryption (PKI) Asymmetric   encryption requires a pair of associated, but not identical keys (the key   pair), generated by a cryptographic service provider (CSP).

  • The public key is made available to everyone.
  • The private key is kept secret by its owner.

With asymmetric   encryption, data encrypted with one key can only be unencrypted using the   other key.

  • Encrypting a message with the sender’s private key means   that only the corresponding public key can unencrypt the message. This proves   that the message came from the sender, but does not provide data   confidentiality (secrecy) because anyone with the public key can read the   encrypted message.
  • Encrypting a message with a recipient’s public key means   that only the intended recipient (who has the private key) can read the   message. This provides data confidentiality because only the recipient will   be able to read the message.
  • A      certificate is a digitally-signed statement that binds the value of      a public key to the identity of the person, device, or service that holds      the corresponding private key. Certificates provide proof of identity      and/or encryption for the following uses:
    • Web user authentication
    • Web server authentication
    • Secure e-mail
    • IPSec
    • Transport layer security
    • Code signing
    • Certification hierarchy
  • Typical      information in a certificate includes:
    • The subject’s public key value       (the subject is the entity that receives the certificate)
    • The subject’s identifier       information (name and e-mail address, for example)
    • The length of time for which the       certificate is considered valid (i.e., the validity period)
    • Issuer identifier information       (the issuer is the certification authority)
    • The issuer’s digital signature       (this verifies the validity of the binding between the subject’s public       key and the subject’s identifier information)
  • A      Public Key Infrastructure (PKI) is a system that provides for a trusted      third party to vouch for user identities and allows binding of public keys      to subjects.
  • A      PKI is made up of Certification Authorities (CAs), also called certificate      authorities. A CA is an entity trusted to issue, store, and revoke      certificates. A CA:
    • Accepts certificate requests.
    • Verifies the information provided       by the requester.
    • Creates and digitally signs the       certificate.
    • Issues the certificate to the       requester.
    • Revokes certificates.
    • Publishes a list of revoked       certificates known as the certificate revocation list (CRL).
  • A      certification hierarchy consists of a root CA and can include one or more      subordinates that are in a parent-child relationship with the root. If a      root authority is trusted, all the subordinate CAs are also trusted.
  • To      issue certificates, each CA must first have its own certificate, verifying      its identity.
    • The root CA generates its own       certificate.
    • Subordinate CAs obtain their CA       certificates from the root CA or another subordinate CA. This authorizes       the CA to issue certificates to other entities and to be trusted.
  • You      can obtain certificates from a public CA (such as Verisign), or install      your own PKI and CAs to issue certificates to users and computers in your      organization. Note: If you want a certificate to be trusted by      users outside of your organization, obtain a certificate from a      third-party CA.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s