Digital certificate infrastructure functions and types
Types of Digital Certificate
Download 65.5 Kb.
|
Digital certificate infrastructure functions and types
|
Types of Digital Certificate:
Identity Certificates. An Identity Certificate is one that contains a signature verification key combined with sufficient information to identify (hopefully uniquely) the key holder. This type of certificate is much subtler than might first be imagined and will be considered more detail later. Accreditation Certificates. This is a certificate that identifies the keyholder as a member of a specified group or organization without necessarily identifying them. For example, such a certificate could indicate that the key holder is a medical doctor or a lawyer. In many circumstances, a particular signature was need to authorize a transaction but the identity of the keyholder is not relevant. For example, pharmacists might need to ensure that doctors sign medical prescriptions but they do not need to know the specific identities of the doctors involved. Here the certificate states in effect that the key holder, whoever they are, has ‘permission to write medical prescriptions’. Accreditation certificates can viewed as authorization (or permission) certificates. It might be thought that a doctor’s key without identity would undermine the ability to audit the issue of medical prescriptions. However, while such might not contain keyholder identity data, the certificate issuer will know this so such requirements can be met if necessary. Authorization and Permission Certificates. In these forms of certificate, the certificate signing authority delegates some form of authority to the key being signed. For example, a Bank will issue an authorization certificate to its customers saying ‘the key in this certificate can be used to authorize the withdrawal of money from account number 271828’.In general, the owner of any resource that involves electronic access can use an authorization certificate to control access to it. Other examples include control of access to secure computing facilities and to World Wide Web pages. In banking an identity certificate might be used to set up an account but the authorization certificate for the account will not itself contain. Identity data. To identify the owner of a certificate a bank will typically look up the link between account numbers and owners in its internal databases. Placing such information in an authorization certificate is actually undesirable since it could expose the bank or its customers to additional.[2]. Also, there are: Personal Certificates: used to identify yourself to the server and to all users. Individual Certificates enhances the security of some applications by assuring that a certificate’s subject and e-mail address are included within VeriSign’s repository but do not provide proof of identity. Individual Certificates provide a reasonable level of assurance of a subscriber’s identity. Identities were check against local records or Trusted Third Parties (TTP). Individual Certificates provides a higher level of assurance by validating the identity via in-person presentation of identification credentials or other enhanced procedures. Used in banking and contracting applications. Server Certificates: designed to protect you and your visitors to your site, it is used by secure servers who ensure the user that his affiliation is legitimate. Authenticate your site: A Digital certificate on your server automatically communicates your site’s authenticity to visitor’s web browsers, confirming that the visitor is actually communicating with you, and not with a fraudulent site stealing credit card numbers or any personal information. Keep prove communication private: Digital Certificates encrypt the data visitors that exchange with your site to keep it safe from interception or tampering using SSL (Secure Socker Layer) technology, the industry-standart method for protecting web communications [3]. Supported certificate/key types The BIG-IP system supports multiple cipher suites when offloading SSL operations from a target server on the network. The BIG-IP system can support cipher suites that use these algorithms: Rivest Shamir Adleman (RSA). Elliptic Curve Digital Signature Algorithm(ECDSA) Digital Signature Algorithm (DSA). When you generate a certificate request or a self-signed certificate, you specify the type of private key, which determines that specific signing or encryption algorithm that is used to generate the private key. RSA certificates. RSA (Rivets Shamir Adleman) is the original encryption algorithm that is based on the concept of a public and a private key. When a public site attempts to communicate with a device such as the BIG-IP system, the device sends the site a public key that the site uses to encrypt data before sending that data back to the device. The device uses its private key associated with the public key to decrypt the data. Only device on which the certificate resides has access to this private key. The RSA encryption algorithm includes an authentication mechanism. DSA certificates. DSA (Digital Signature Algorithm) uses a different algorithm for signing key exchange messages than that of RSA. DSA is paired with a key exchange method such as Diffie-Hellman or Elliptical Curve Diffie-Hellman to achieve a comparable level of security to RSA. Because DSA is generally endorsed by federal agencies, specifying a DSA key type makes it easier to comply with new government standards, such as those for specific key lengths. ECDSA certificates. When creating certificates on the BIG-IP system, you can create a certificate with a key type of ECDSA (Elliptic Curve Digital Signature Algorithm), and provides better security and performance with significantly shorter key lengths. For example, an RSA key size of 2048 bits is equivalent to an ECC key size of only 224 bits. As result, less computing power is required, resulting in faster, more secure connections. Encryption based on ECC is ideally suited for mobile devices that cannot store large keys. The BIG-IP system supports both the prime 256vl and 384rl curve names, although only prime 256vl can be associated with an SSL profile. Download 65.5 Kb. Do'stlaringiz bilan baham: 
|