Security summary

I started working on security issues. There are many terms that need to be understood. So I write short explanation of them:

PKI - Public Key Infrastructure

General name for 'all stuff that is needed for security': hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

SSL - Secure Sockets Layer

A protocol for secure connection over the net. It insure

  • Confidentiality – secure communication between server-client
  • Integrity assurance – data sent from the client was not tampered with in transit
  • Authentication (optional) – server AuthN to Client and vice versa

SSL latest version is 3.1 and is also known as TLS

CRL - Certificates Revocation List

A list is a list of revoked certificates from a specific certificate issuer.

Each certificate can hold an address as URL where the issuer places its CRL and anyone like a web server could fetch the CRL and insure the certificate presented has not been revoked by the Certificate issuer (CA).


Certificate issuer

Authentication: Who sent this message?

“it’s from me, Julie. I swear! Trust me.”
“it’s from me, Bill Gates. I swear! Trust me. Heh heh.”

Solution: Credentials
Digital Certificate

Authorization: What can this person do?

Retrieve telephone numbers? Social Security numbers?
Delete Records?

Solution: Use Roles to define privileges

Confidentiality: Who can read this message?

“thanks for sending me that credit card number! Heh heh.”

Solution: Encryption
Shared secret or public/private key pairs to encrypt & decrypt

Integrity: Did anyone tamper with this message?

“darling, will you marry me?”
“darling, I must confess, I’m married”

Solution: Digital Signature used to compare sent & received message


eSignature said...

Thanks a lot for this contribution! It is very useful to me. Everything is very open and represents very clear explanation of issues. Really blogging is spreading its wings quickly. Your write up is a good example of it.

Ziv said...