Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Security vendor demonstrates insider attack on VMware ESX
RIM Buys Documents To Go, It Should Have Been Microsoft
Smartphone support challenges enterprise IT teams
Symantec, Trend Micro rivalry heats up over antivirus tests, new products
IT asset tracking system combines RFID, infrared for rack-level identification
Symantec: Most hacking victims blame themselves
Lawsuit shows HP sees Hurd as primal threat
Dell to make a play for Brocade?
Larry Ellison's pay package worth $70 million, down 17% from '09
Red Bend buys VirtualLogix for mobile virtualization
Cisco, Citrix team on desktop virtualization package
Oracle hires Hurd: Who's sorry now?
VMware's plan for the Apple iPad still taking shape
Oracle stock rises 5% on news of Hurd hire
Microsoft investigates two-year-old IE bug
/

Serious about Security? Who the X.509 are you?

Today's breaking news
Send to a friendFeedback


Network World, 02/01/99

Perhaps the greatest and most perceptive joke about the Internet appeared in The New Yorker in 1993. It depicted two dogs, one sitting on a chair in front of a PC and the other sitting on the floor looking up at the first. The dog on the chair was saying, "On the Internet, nobody knows you're a dog."

This quip raises the question: How do we know whom we are exchanging messages with on the Internet? There are a lot of technologies that provide parts of the answer, such as Public/Private Key (PPK) encryption and public-key infrastructure (PKI), but one technology has become foundational to the whole issue: Digital Certificates. (For more on PKI, see page 37.) And the most important standard in this area is X.509.

Wondering what this standard is? Well, Gearhead is here to help. X.509 is a standard from the International Telecommunication Union-Telecommunications Standardization Sector (ITU-T) and the ISO/International Electrotechnical Commission (ISO/ IEC). First published in 1988 and extended in 1993, the current version (3.0) was released in 1996.

An X.509 certificate is a block of data divided into 11 major parts. The first section is the X.509 version field. The next is the certificate's unique serial number assigned by the certification authority that issued the certificate. Following that is the signature algorithm identifier that names how the authority signed the certificate.

The next fields identify the certificate's issuer, spell out the validity period of the certificate (start and end dates) and provide the name of the certificate's owner and the owner's public-key information.

Following that are optional sections: issuer- and subject-unique identifier fields allow items to be reused, and the extensions field provides additional information for the control and management of the certificate.

The final part of an X.509 certificate is the certification authority's digital signature. This field is generated by examining all the other fields in the message to create a "message digest," a value that describes the contents of the fields. This digest is then encrypted with the certification authority's private key to create the signature value.

That's what X.509 is - a specification of the layout of digital signatures. But in practice there's a whole slew of implementations for Internet Explorer and other software packages.

With Microsoft Outlook, you can opt to sign a message by attaching your digital certificate. When the recipient receives the certificate, the certification authority is determined by looking at the issuer identification field. The e-mail program then goes to the authority's Web site and gets the authority's public key. The public key is used to decrypt the signature to reveal the value of the previously determined message digest.

This value can then be compared to a newly calculated message digest and, if they are the same, the certificate is valid and unmodified. That is, valid unless the certificate has been revoked, for example, because the certificate's owner has left the company.

To determine the status of the certificate, the certificate authority must be interrogated. A message encrypted with the authority's public key is sent to the authority with the certificate's serial number and the process' public key. The authority responds with an answer, effectively yes or no, encrypted with the process' public key.

So, we've established that the message contents are intact and unmodified and that the sender's certificate is valid and current, which implies that the sender is who he claims to be.

The importance of X.509 is that it is a stable standard that will underpin everything you do with PKI in your organization. But is there a real market for it? Well, digital certificates based on X.509 Version 3.0 and related services were expected to reach $56 million in 1998 and, according to a Dataquest report, be worth some $92 million by 2000. Could we finally be getting serious about security?

Comments and suggestions to gh@gibbs.com.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.