Security summary

I started working on security issues. There are many terms that need to be understood. So I write short explanation of them:

PKI - Public Key Infrastructure

General name for 'all stuff that is needed for security': hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

SSL - Secure Sockets Layer

A protocol for secure connection over the net. It insure

• Confidentiality – secure communication between server-client
• Integrity assurance – data sent from the client was not tampered with in transit
• Authentication (optional) – server AuthN to Client and vice versa

SSL latest version is 3.1 and is also known as TLS

CRL - Certificates Revocation List

A list is a list of revoked certificates from a specific certificate issuer.

Each certificate can hold an address as URL where the issuer places its CRL and anyone like a web server could fetch the CRL and insure the certificate presented has not been revoked by the Certificate issuer (CA).

CA

Certificate issuer

Authentication: Who sent this message?

“it’s from me, Julie. I swear! Trust me.”
“it’s from me, Bill Gates. I swear! Trust me. Heh heh.”

Solution: Credentials
Login/Password
Digital Certificate

Authorization: What can this person do?

Retrieve telephone numbers? Social Security numbers?
Delete Records?

Solution: Use Roles to define privileges

Confidentiality: Who can read this message?

*$#(UDUSF(*#WJF*SJ()jd90fd”Q@fdsj48!
“thanks for sending me that credit card number! Heh heh.”

Solution: Encryption
Shared secret or public/private key pairs to encrypt & decrypt

Integrity: Did anyone tamper with this message?

“darling, will you marry me?”
“darling, I must confess, I’m married”

Solution: Digital Signature used to compare sent & received message