Skip to main content

Security summary

I started working on security issues. There are many terms that need to be understood. So I write short explanation of them:

PKI - Public Key Infrastructure

General name for 'all stuff that is needed for security': hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

SSL - Secure Sockets Layer

A protocol for secure connection over the net. It insure

  • Confidentiality – secure communication between server-client
  • Integrity assurance – data sent from the client was not tampered with in transit
  • Authentication (optional) – server AuthN to Client and vice versa

SSL latest version is 3.1 and is also known as TLS

CRL - Certificates Revocation List

A list is a list of revoked certificates from a specific certificate issuer.

Each certificate can hold an address as URL where the issuer places its CRL and anyone like a web server could fetch the CRL and insure the certificate presented has not been revoked by the Certificate issuer (CA).

CA

Certificate issuer


Authentication: Who sent this message?

“it’s from me, Julie. I swear! Trust me.”
“it’s from me, Bill Gates. I swear! Trust me. Heh heh.”

Solution: Credentials
Login/Password
Digital Certificate

Authorization: What can this person do?

Retrieve telephone numbers? Social Security numbers?
Delete Records?

Solution: Use Roles to define privileges

Confidentiality: Who can read this message?

*$#(UDUSF(*#WJF*SJ()jd90fd”Q@fdsj48!
“thanks for sending me that credit card number! Heh heh.”

Solution: Encryption
Shared secret or public/private key pairs to encrypt & decrypt

Integrity: Did anyone tamper with this message?

“darling, will you marry me?”
“darling, I must confess, I’m married”

Solution: Digital Signature used to compare sent & received message

Comments

eSignature said…
Thanks a lot for this contribution! It is very useful to me. Everything is very open and represents very clear explanation of issues. Really blogging is spreading its wings quickly. Your write up is a good example of it.
Ziv said…
Thanks!

Popular posts from this blog

Jenkins error: groovy.lang.MissingPropertyException

I tried to run groovy build step and got below error. This post will describe how I solved the problem.

Caught: groovy.lang.MissingPropertyException: No such property: hudson for class: script


What is PKI

PKI = Public Key Infrastructure
(Resource) Method of asserting the identity and validity of a person (or entity) that you have not previously met or interacted.

It use of certificates containing identifying information and public keys (these certificates are more properly called X.509 certificates).

PKI accomplishes this by defining a central authority who is mutually trusted by all users of the system.