The x.509 is a digital certificate that uses a widely accepted international x.
509 public keyinfrastructure (PKI) standard to the verify a public key belong to the user, computer or anidentity contained within a certificate.Structure of x.509 certificatesSubject: It gives a name of a computer and a user network device or services that a CA issued acertificate to. The certificate is commonly named by using x.500 or light weight aces protocol(LDAP) format.Serial Number: It gives a provision for a uniquely identification for each certificateIssuer: It gives a provision for a distinguish ion name of a CA for an issue of a certificate.
Theissue name is usually meaned by x.500 or LDAP format. For the root CA and the issuer thesubjects are similar. For all other CA certificates and for the end entity certificates, the subjectand issuer are meaned to be different.Valid From: It gives a provision of a date and time when the certificate will become valid.Valid to: It provides a date and time at which a certificate is meaned to a no longer validPublic key: It consist of a relationship between a public and a private key termed with acertificateIn addition to the field defined in x.
509 version 1, x.509 version 3 certificates include an optionalfields or extension that provides an additional feature and functionality to the certificate. Theseextensions aren’t included in each certificate of a CA issues.Subject alternative name: A subject can be represented in a many different format. forexample: The certificate is most likely to include a user account name in a format of a LDAPdistinguished name such as email, name and user principal name (UPN), you also can tend toinclude the email name or a certificate by a sum of a subject alternative name extension thatincludes these additional name formats. subject alternative name is mainly used in an end entitycertificates, but not in CA Certificates.Basic constraints: The X509 version 3 extensions are used to differentiate between end-entitycertificate and a CA certificate. Still there are some of PKI clients who do not recognize basicconstraints which can make it possible for an end-entity to act as a CA.
And Windows 2000 operating systems honor basic constraints in accordance with InternetEngineering Task Force (IETF) Request for Comments (RFC) 2459 and will reject CAcertificates that do not contain this extension.Name constraints: This extension rejects the name spaces that are accepted or excluded by aqualified subordinate CA and its subordinates while issuing a certificates.Policies: It defines a list of an acceptable issuance and application policies for a certificate use.These rules and regulations are identified in a certificate of an object identifiers( also known as aOIDS)Policy mapping: It accepts a policy from a one domain mapped into an another domain mappedPolicy constraints: It rejects a subordinate level hierarchy for which a policy is applied. Thisextension is used for a conjunction of a issuance and applications policies.Application policy: It defines for which application is used in a conjuction for a certaincertificatesApplication policy mapping: It identifies an equivalent policies between the two differentorganizations and certify it by using a certificate application policiesCross certificate distribution points: It identifies a relation of a cross certificate to a particularcertificate. And how a cross certificate locations are updated.
CRL distribution points (CDP): It is used in an application or a service for determinationweather a certificate will be revoked before its validity or not. An application or service mustdetermine whether a certificate has been revoked before its validity period has expired or not.Authority Information Access (AIA): It provides one or more URL where an application orservice can retrieve by issuing a CA certificate.
And it is also used to validate the certificate ofthe CA which is used for a parent CA for a revocation and validity.Enhanced Key Usage (EKU): It defines which application can be used for a conjunction of acertain certificates. Because the implementation of public key infrastructure (PKI) applicationsmayn't understand application policies, both application policies and enhanced key usage sectionappear in certificate issued by a Microsoft CA.Unsigned idUser IdUser Public KeySigned DcCA Public KeyThe given diagram is of an X509 digital certificate. The first diagram is of unsigned digitalcertificate. And an Unsigned digital certificate consists of a User Id and of a user’s public key.And that digital certificate will be hashed and after they are hashed. Now they are a certifiedauthorities.
And after a certified authorizes they are encrypted. And after an encryption we willget a signed digital certificate.The x.
509 certificates consist of a following importance’s and they are:1 It consist of a standard of a public key belong to which users.2 It consists of a computer or a service associated with a certificate.3 It is generally used to validate a connection endpoints (The identity between a server for whicha connection is made).4 It is generally used for a server Name Identification which consist of a dealing with a multiplehost names of a single ip address is server name identification.5 It is also used for a certificate revocation which consist of a compromise that a certificate thatis being used or a signed should be revoked.
HEAsymmetric KeyAsymmetric-key algorithms are commonly referred to as “public-key algorithms”. They use twomathematically associated keys knows as public and private keys. One key is used for dataencryption, and the other is used for decryption of data. The combination of a public and privatekey is called a key pair. The private key is always kept secret by the owner.
The public key isdistributed to the public and everyone can access it. The private key cannot be deduced from thepublic key. The public key is mostly bound to an identity by a Certificate Authority.Asymmetric-key algorithms are mostly based on mathematical problems like integerfactorization and discrete logarithm problem. Main uses of asymmetric algorithms are:1.
Creation of digital signatures2. To establish/distribute session keys such as in case of TLS protocolThe Asymmetric key consists of following purposes and they are:? The asymmetric key is used to exchange secrets over an unreliable network secretly withintegrity.? It encrypts a small pieces of a data? It encrypts symmetric keys and hashes? The todays hellman are Diffie Hellman, RSA , Digital standard standard? SDP/PA uses asymmetric key encryption for:Encrypting keys on diskExchanging symmetric keys during the TLS handshakeGenerating and validating x.509 certificatesSymmetric key FunctionsIt is referred as a conventional encryption or a single key encryption and consist of afollowing properties and they are:1 Plaintext: It is a message that consist of a data as an input2 Encryption Algorithm: The encryption algorithm performs various substitution andpermutation on a plain text.3 Secret key: The secret key is an input to the encryption algorithm. The exactsubstitution always depends upon a key used; the algorithm produces a different outputdepending upon a specific key used at a time.4 Cipher texts: The cipher text is a message that produces an output.
It always dependsupon a plain text and a key. The cipher text is always a random stream of a data whichalways acts as a unintelligible.5 Decryption Algorithm: The Description algorithm runs in reverse . It takes a cipher textand always produces an original plain text.There are two requirements for a symmetric key cryptosystem1. We assume it is impractical to decrypt a message on the basis of the cipher text plusknowledge of the encryption/decryption algorithm.
In other words, we do not need tokeep the algorithm secret; we need to keep only the key secret.2. Sender and the receiver must have obtained copies of the secret key in a secure fashionand must keep the key secure. If someone can discover the key and knows the algorithm,all communications using this key is readable.
We will describe how we can use a public-key cryptosystem for a secure key exchange later in this lecture.Hash FunctionsThe hash functions consist of a plain text and it is impossible for a plain text to recover.The primary application of a hash function cryptography is that it provides a messageintegrity. The hash function provides a digital finger print to a message content and italways insures that a given message hasn’t been altered by a intruder, viruses, or othermean and a hash functions are effective because they are of extremely low probality of atwo different plain text messages that yields a same value.
There are several well-known hash functions in use today:? Hashed Message Authentication Code (HMAC): Combines authentication via a shared secretwith hashing.? Message Digest 2 (MD2): Byte-oriented, produces a 128-bit hash value from an arbitrary-length message, designed for smart cards.? MD4: Similar to MD2, designed specifically for fast processing in software.? MD5: Similar to MD4 but slower because the data is manipulated more. Developed afterpotential weaknesses were reported in MD4.? Secure Hash Algorithm (SHA): Modeled after MD4 and proposed by NIST for the SecureHash Standard (SHS), produces a 160-bit hash value.Secure Hash Standard (SHS)• Standard issued by the National Institute of Standards and Technology (NIST)• Standard document FIPS 180-1 specifies SHA-1 (Secure Hash Algo- rithm 1) as a securealgorithm for computing a condensed representation of a message or data file.• SHA-1 produces a 160-bit message digest, which can be used as an input to a digitalsignature algorithm• SHA-1 is based on principles modeled after MD4 (which is part of the MDx family ofhash algorithms created by Ronald Rivest).• New hash algorithms (SHA-256, SHA-384, and SHA-512) have been proposed by NISTas standards for 128, 192, and 256 bits, respectively• The number of bits used in the hash algorithm is a measurement of the strength of thealgorithm against collision attacks.• SHA-256 is essentially a 256-bit block cipher algorithm that creates a key by encryptingthe intermediate hash value, with the message block functioning as the key