Question

4NCA:

• 4.7 What is a nonce?

• 4.8 What are two different uses of public-key cryptography related to key distribution?

• 4.9 What are the essential ingredients of a public-key directory?

• 4.10 What is a public-key certificate?

• 4.11 What are the requirements for the use of a public-key certificate scheme?

• 4.12 What is the purpose of the X.509 standard?

• 4.13 What is a chain of certificates?

• 4.14 How is an X.509 certificate revoked?

Answer 1

4.7. Nonce:

• Nonce is a random value to be repeated in message to assure that the response is fresh and has not been replayed by an opponent.

4.8. Uses of Public-key cryptography related to key distribution:

• Public Key Encryption: The message is encrypted with the recipient's public key and can only be decrypted with a private key.
• Digital Signatures: The message is signed with the sender's private key and it can be verified by anyone who has access to this public key.

4.9. Essential ingredients of a Public-Key directory:

• There needs to be an Authority that maintains a directory with an Entry for each participant.
• From there, each participant must register a public key with the directory authority and they may be able to replace this existing public key with a new one at any time.
• The participants will also be allowed to access the directory electronically.

4.10. Public-Key certificate:

• A Public-Key certificate consists of a public key and a user ID of the key owner, and this whole block is signed by a trusted third party.
• Then, the user can present this public key to the authority in a secure manner and then obtain the public-key certificate.
• Anyone who needs this user's public key can obtain the certificate and verify that it is valid by the way of a trusted signature.

4.11. Requirements for the use of a public-key certificate scheme:

• Only the certificate authority can create and update certificates
• Any participant can verify that the certificate originated from the certificate authority and is not counterfeit
• Any participant can verify the currency of the certificate
• Any participant can read a certificate to determine the name and public key of the certificate's owner

4.12. Purpose of X.509 standard:

• The X.509 is part of the X.500 series that defines a directory service.
  • The directory is a server or distributed set of servers that maintain a database of information about users.
• The X.509 defines the framework for the provision of authentication services by the X.500 directory to its users and it may serve as a repository of public-key certificates.
• It also defines the alternative authentication protocol based on the use of public-key certificates.

4.13. Chain of Certificates:

• A certificate chain consists of all the certificates needed to certify the subject identified by the end certificate.
• This includes the following:
  • The end certificate
  • The certificate of intermediate CAs
  • The certificate of a root CA trusted by all parties in the chain
• Every intermediate CA in the chain holds a certificate issued by the CA one level above it in the trust hierarchy.
• The root CA issues a certificate for itself.

4.14. X.509 certificate may be revoked for the following reasons:

• The CA's certificate assumed to be compromised
• The user is no longer certificated by this certificate authority (CA). This is because:
  • The subject name has changed
  • The certificate is suspended, or
  • The certificate was not issued in conformance with the CA's policies.
• The user's private key is assumed to be compromised.

The CAs must maintain a list consisting of all revoked certificates issued by the CA, including both those issued to users and to other CAs. These lists should be posted on the directory.