beautypg.com

Message encryption, Digital signatures, Certificates – Allied Telesis AT-S60 User Manual

Page 360: Message encryption digital signatures certificates

background image

AT-S60 Management Software User’s Guide

Section III: Security Features

359

Message

Encryption

One of the two main services provided by public key encryption is the
exchange of encrypted messages. For example, user 1 can send a secure
message to user 2 by encrypting it with user 2’s public key. Only user 2
can decrypt it, because only user 2 has access to the corresponding
private key.

Digital

Signatures

The second main service provided by public key encryption is digital
signing. Digital signatures both confirm the identity of the message’s
supposed sender and protect the message from tampering. Therefore
they provide message authentication and non-repudiation. It is very
difficult for the signer of a message to claim that the message was
corrupted, or to deny that it was sent.

Both the exchange of encrypted messages and digital signatures are
secure only if the public key used for encryption or decryption belongs
to the message’s expected recipient. If a public key is insecurely
distributed, it is possible a malicious agent could intercept it and replace
it with the malicious agent’s public key (the Man-in-the-Middle attack).
To prevent this, and other attacks, PKI provides a means for secure
transfer of public keys by linking an identity and that identity’s public
key in a secure certificate.

Warning

While a certificate binds a public key to a subject to ensure the
public key’s security, it does not guarantee that the security of the
associated private key has not been breached. A secure system is
dependent upon private keys being kept secret, by protecting them
from malicious physical and virtual access.

Certificates

A certificate is an electronic identity document. To create a certificate for
a subject, a trusted third party (known as the Certification Authority)
verifies the subject’s identity, binds a public key to that identity, and
digitally signs the certificate. A person receiving a copy of the certificate
can verify the Certification Authority’s digital signature and be sure that
the public key is owned by the identity in it.

The switch can generate a self-signed certificate but this should only be
used with an SSL enabled HTTP server, or where third party trust is not
required.

X.509 Certificates

The X.509 specification specifies a format for certificates. Almost all
certificates use the X.509 version 3 format, described in RFC 2459,
Internet X.509 Public Key Infrastructure Certificate and CRL Profile. This is
the format which is supported by the switch.

See also other documents in the category Allied Telesis Computer hardware: