X.509

Certificate Overview

X.509

Certificates is the combination of public key, the identity of the user and the

certifying authority details. In other words, it is a digital certificate that

uses X.509 public key infrastructure (PCI) standard to verify that a public key

belongs to the user, computer or service identity. Since, it composes of public

key, it identifies the requirements of public key cryptography. In simple

words, it defines all the attributes of public key cryptography.

The

verification of X.509 certificate is done by CAs (Certificate Authority). Here,

CA verifies the identity of requester. It sends or encrypt and then encode and

issues the certificate.

Structure

of X.509 certificate

The

structure of X.509 certificate can be explained in details as follows: –

Version

Serial Number

Signature Algorithm

Identifier

Issuer Name

Validity Period

Subject Name

Public Key

Information

Issuer Unique ID

(optional)

Subject Unique ID

(optional)

Extensions (optional)

Version:

–

It implies which X.509 version applies to the certificate. It also denotes what

data should be included in the certificate.

Serial

no.: – It implies unique identity in the form of serial

number, to distinguish from other certificates.

Signature

Algorithm Identifier: – It tells about the algorithm used

by the issuer, generally a certificate authority to send the certificate.

Issuer

name: – It denotes the name of the entity, issuing the

certificate.

Validity

period: – It denotes/ indicates the start / end date and also

the type of issuing certificate.

Subject

name: – It indicates the name of the identity; the

certificate is issued to.

Public

key information: – It denotes the public key associated

with the subject/identity.

Issuer

Unique ID: – It indicates unique Identity of the

issuer, but is optional.

Subject

Unique ID: – It is also option. It denotes the

unique identity of the certificate that is issued to.

Extensions:

–

It’s optional as well.

Since,

every version of X.509 has version, serial no., signature algorithm identifier,

issuer name, validity period, subject name and public key information. Version

1 doesn’t contain issuer unique ID, subject unique ID, and extensions. Version

2 contains issuer unique ID and subject unique ID additional to version 1. Likewise,

version 3 contains all this additional information.

X.509

certificate’s importance for information security

X.509

certificate is the standard which defines all the attributes of public key

cryptography. Since, the certificate relies on hash key which are

mathematically related. Here, private key is kept secret and public key is

distributed among users. Therefore X.509 standard has specific rule for

providing public key to the users which are authorized by the certificate

authorizer, that helps in maintaining network traffic control and also

maintaining the standard that is set for encrypting and decrypting the

contents. Similarly, X.509 certificate is used to prove identity and to protect

one from being tampered.

For

e.g.

If

a XYZ company had a certificate issued to XYZtraining.com, the name of the

website could be included as a field in a certificate. When the certificate is

downloaded to a client computer, the client computer checks the name on the

certificate to see if it matches the website that they are trying to access. If

it does the certificate will be issued.

But

if the similar certificate is obtained by another website and an attempt is

made to use it, the certificate would be rejected as the website and name in

the certificate do not match.

Likewise,

if the name in the certificate is changed as the fields in certified can be

edited or changed and an attempt is made to use it, here digital signature in

the X.509 certificate plays its role. Since, it doesn’t match the data in the

certificate and the certificate will be rejected.

This

is why X.509 certificate is important.

Various

cryptographic functions

Symmetric

function: – This encryption function uses the same

key to encrypt as well as to decrypt the data. This generally makes it faster method

of encryption and decryption as compared to asymmetric function. As it uses the

similar key for encrypting and decrypting data firstly the key needs to be

stored securely and secondly secure channel is required to transfer the key.

Asymmetric

function: – Asymmetric function uses two keys; one

for encrypting data and another for decrypting data. These two keys are known

as public key and private key. This function is also called public key

encryption method. This function is slower than symmetric function.

Hash

function: – Hash function is a one-way encryption

method which uses no key. Instead, it uses hash value which is in fact a

fixed-length mathematical value, computed based on plain text. Hash function is

usually an algorithm that supports the concept of fingerprint for accessing

file contents which makes sure whether the contents had been altered by the

intruder or virus.

Employment

of these cryptographic function

The

first thing to understand during employment of cryptographic functions in X.509

certificate is the hash value. It is the value which represents the

certificate. Hash value is calculated by putting the certificate through a

mathematical function to produce a value. A simple hash function would be to

add each byte in a file together to obtain a single number. However, more

complex value is used in the original X.509 certificate. The hash value is put

through a mathematical function using the symmetric key to generate digital

signature. This digital signature is then added to the X.509 certificate. This

is shown in steps as follows: –

Now

that the digital signature had been added to the certificate it can be used

later to check that the certificate has not been altered or damaged. For this

the digital signature is put through a mathematical function using public key.

The result of this should be the original hash value. If this value is not

obtained then the person must understand that the X.509 certificate is corrupt

or has been intruded.

Here, the hash is a one-way process which means we

cannot use the hash value to generate the original X.509 certificate. This

means that even though the private key is used in the process, it is not

possible to use the digital signature to obtain the private key.