4.7. Nonce:
- Nonce is a random value to be repeated in message to assure
that the response is fresh and has not been replayed by an
opponent.
4.8. Uses of Public-key cryptography related to key
distribution:
- Public Key Encryption: The message is
encrypted with the recipient's public key and can only be decrypted
with a private key.
- Digital Signatures: The message is signed with
the sender's private key and it can be verified by anyone who has
access to this public key.
4.9. Essential ingredients of a Public-Key
directory:
- There needs to be an Authority that maintains
a directory with an Entry for each
participant.
- From there, each participant must register a public key with
the directory authority and they may be able to replace this
existing public key with a new one at any time.
- The participants will also be allowed to access the directory
electronically.
4.10. Public-Key certificate:
- A Public-Key certificate consists of a public
key and a user ID of the key owner, and this whole block is signed
by a trusted third party.
- Then, the user can present this public key to the authority in
a secure manner and then obtain the public-key certificate.
- Anyone who needs this user's public key can obtain the
certificate and verify that it is valid by the way of a trusted
signature.
4.11. Requirements for the use of a public-key
certificate scheme:
- Only the certificate authority can create and update
certificates
- Any participant can verify that the certificate originated from
the certificate authority and is not counterfeit
- Any participant can verify the currency of the certificate
- Any participant can read a certificate to determine the name
and public key of the certificate's owner
4.12. Purpose of X.509 standard:
- The X.509 is part of the X.500 series that defines a directory
service.
- The directory is a server or distributed set
of servers that maintain a database of information about
users.
- The X.509 defines the framework for the
provision of authentication services by the X.500
directory to its users and it may serve as a repository of
public-key certificates.
- It also defines the alternative authentication protocol based
on the use of public-key certificates.
4.13. Chain of Certificates:
- A certificate chain consists of all the certificates needed to
certify the subject identified by the end certificate.
- This includes the following:
- The end certificate
- The certificate of intermediate CAs
- The certificate of a root CA trusted by all parties in the
chain
- Every intermediate CA in the chain holds a certificate issued
by the CA one level above it in the trust hierarchy.
- The root CA issues a certificate for itself.
4.14. X.509 certificate may be revoked for the following
reasons:
- The CA's certificate assumed to be compromised
- The user is no longer certificated by this certificate
authority (CA). This is because:
- The subject name has changed
- The certificate is suspended, or
- The certificate was not issued in conformance with the CA's
policies.
- The user's private key is assumed to be compromised.
The CAs must maintain a list consisting of all revoked
certificates issued by the CA, including both those issued to users
and to other CAs. These lists should be posted on the
directory.