beautypg.com

Authentication, Types of, Ssl1000 user’s manual – Visara SSL1000 User Manual

Page 24

background image

3-2

707092-001

SSL1000 User’s Manual

So if protecting your data from bad guys with LAN monitors is all you are after,
you’re done.

But how can you be sure the bad guys have not set up a fake web server, that looks just
like your bank’s web page, and is just sitting there waiting for you to log in so they can
steal your username and password? In technical jargon, how can you authenticate your
connection?

Authentication is done with digital certificates. These are encoded blocks of data, that
include some information like the company name and location, a contact name, how
long the certificate is valid, what algorithm is used, and the same asymmetric public
key we discussed previously. Another very important piece of information included is
who created the certificate.

This is very important because how can you be sure the bad guys didn’t create a fake
certificate too? There is a group of companies that provide the service of creating digital
certificates, and everybody in the world trusts them, just like Swiss bank accounts
(mysterious, but trustworthy). These trusted Certificate Authorities, like Verisign and
Thawte, publish their digital signatures, and companies like Netscape and Microsoft
include them in their browsers.

If you buy a certificate from Verisign for your web server, it will have your server
information in it, along with Verisign’s public key, so that the browsers will see your
certificate, who issued it, and their certificate. The browser matches the issuer’s certificate
with its list of known Certificate Authorities. If there is a match, it declares your certificate
to be trustworthy. If there is no match, the browser will put up a warning that the certificate
can not be verified to be trustworthy, and will allow you to decide to accept or reject the
connection.

There are several types of certificates:

Server Certificate

. The most common - what is passed from server to client

when a connection is made. This certificate includes the issuer’s certificate.

Certificate Authority (CA) Certificate

. This can be stand-alone or included in

with an issued certificate. If it is in the list of “trusted certificate authorities”, then
all certificates issued by that CA are “trusted”.

Intermediate Certificate Authority Certificate

. This is when a trusted CA

gives license to someone else to issue CA certificates in his name. For example,
Verisign may grant a university the right to issue CA certificates, that include
Verisign’s signature, for all the campus servers. As long as the “chain of trust” goes
back to someone truly trusted, certificates issued by the Intermediate will be trusted.

Client Certificate

. These are used to authenticate a client to a server. The server

has to ask the client for his certificate (the client can’t just send it unsolicited), and
the server has to be configured to do this. The client’s public key is imported into the
server’s “key ring” and is checked every time the client connects. Client certificates
are often used instead of usernames and passwords.

S/MIME Certificate

. This is typically used to encrypt email, but can be used as

a client certificate. Thawte and Verisign will issue these to individuals - free for
the asking.

See also other documents in the category Visara Computer Accessories: