Filter
Top Products
Cryptography Overview
62 RSA BSAFE Crypto-C Developer’s Guide
A certificate connects an entity to a public key. For instance, it can list an individual’s
name, address, and public key. When people want to use a person’s public key, they
look up the certificate associated with that person’s name and address. A certificate
can contain a wide variety of information on its owner, such as the person’s
organization or job title. This helps differentiate between people who have the same
name. The certificate can also contain information on when it was issued or when the
public key expires.
For a certificate system to work, there need to be individuals or organizations that
issue and maintain the certificates. These are known as a certificate authorities, or CAs.
An individual can request a certificate by presenting a CA with a public key and a
name and any other identifying information. It is then the CA’s responsibility to
verify that the entity making the request is indeed the person identified by the
information or is authorized to be associated with that key. The level of trust users
place in a CA will depend on the level of verification it performs.
When you ask for an individual’s public key, the CA sends the certificate and signs it
with the digest of the certificate encrypted with the CA’s private key. To verify that
the certificate is genuine, you must digest the certificate and decrypt the signature
using the CA’s public key. Compare the two results: if they are the same, you have a
proper certificate.
If the CA you deal with does not have a certificate for the individual in question, that
CA can communicate with another CA that might have the right certificate. In fact, to
find a particular certificate, a CA may have to go through a chain of CAs until it finds
one that possesses the desired certificate.
Names that uniquely distinguish users are necessary for digital certificates to be of
real use. The CCITT X.500 series of documents offer more discussion regarding
naming conventions and related topics.
Diffie-Hellman Public Key Agreement
The Diffie-Hellman Public Key Agreement, invented by Whitfield Diffie and Martin
Hellman in 1976, was the first true public-key algorithm. It provides a method for key
agreement; that is, it allows two parties to each compute the same secret key without
exchanging secret information. Diffie-Hellman key agreement does not provide
encryption or authentication.
The Algorithm
The Diffie-Hellman algorithm is made up of three parts (see Figure 3-12 on page 63):
• Parameter Generation