Home / About / Glossary

Certificate Authority Signing Key

 

This is the Private Key used by a Certificate Authority to digitally sign Certificates. Certificate Authority Signing Keys must be kept very secure so that Counterfeit Certificates cannot be issued.

 

Certificate Lifecycle Management (CLM)

 

The process of deploying, managing, and controlling digital certificates through their entire lifecycle, from request to renewal or revocation.

 

Certificate Policy

 

A document that describes the Certificate Authority’s responsibility with regards to the Certificates that they issue. It defines policies for Certificate issuance, enrollment, acceptable usage, and other areas.

 

Certificate Practice Statement

 

A set of operational processes that are based on the Certificate Policy that describes processes for issuance, renewal, validation, and revocation of Certificates. Also referred to as a Certification Practice Statement.

 

Certificate Revocation List (CRL)

 

A list of Certificates that have been revoked by a Certificate Authority (CA) and reasons for the revocation. CRLs must be periodically updated and include a nextUpdate date which indicates when that version of the CRL must be replaced with a new version. A CRL should be checked by a Relying Party before they use a Certificate to assure that it is still valid. This makes it critical that the CRL be readily available and be valid (i.e. not have exceeded their next Update date). Relying Parties can choose to rely on a Certificate even if they are not able to access the appropriate CRL but then run the risk of using a revoked Certificate. CRLs are signed by the CA so that Relying Parties can verify they are authentic.

 

Certificate Signing Request (CSR)

 

The request submitted by a Subject when they are enrolling for a Certificate. CSRs typically contain a Subject DN, Public Key, key usage indicators, and a Digital Signature. The Subject (or their system) must sign the CSR with the Private Key that matches the Public Key contained in the CSR to prove that they possess it. The predominant standard format used for CSRs is PKCS#10.

 

Client-side SSL Certificate

 

The Certificate used by a client in an SSL connection to Authenticate itself. This type of Authentication is typically called “mutual authentication” because the Server-side SSL Certificate is used to Authenticate the SSL server and the Client-side SSL Certificate is used to Authenticate the SSL client. In many SSL deployments, passwords are used to authenticate SSL clients, with the password being encrypted with the Server-side SSL Certificate (actually a Session Key) and then decrypted once it is on the server. Client-side SSL Certificate-based Authentication is considered more secure than password-based Authentication because passwords, once decrypted on the server, can be compromised. With Client-side SSL Certificate-based Authentication, the client’s Private Key is not sent to the server but is instead used to digitally sign some random information that is used by the server to Authenticate the client. Client-side SSL Certificates can be issued to individuals or systems.

 

Confidentiality

 

One of the three aspects associated with PKI systems (the other two are Integrity and Authentication). Confidentiality focuses on keeping things secret. In order to keep information secret, that information is encrypted so that only an individual or system with the appropriate key can decrypt and view the information.

 

Counterfeit Certificate

 

This is a Certificate that has been fraudulently issued and is presented as authentic. If a Counterfeit Certificate can be successfully issued, it can be used for malicious purposes. Here are some examples of how a Counterfeit Certificate might be used:

  1. Encryption: Elmer wants to see confidential information being sent from Thelma to Lester and Thelma trusts Certificate Authority 1. Elmer gets a Counterfeit Certificate issued from Certificate Authority 1 to him with his Public Key and Lester’s name in it. Thelma uses Elmer’s Counterfeit Certificate to encrypt data intended for Lester and Elmer is able to decrypt that data.
  2. Digital Signature: Thelma manages Lester’s money and relies on Digitally Signed messages from Lester to determine where to transfer money. Elmer uses a Counterfeit Certificate from Certificate Authority 1 to digitally sign a message with instructions to transfer $100,000 to his bank account and sends the message to Thelma (along with the Counterfeit Certificate. Since Thelma trusts Certificate Authority 1 and the Digital Signature on the Counterfeit Certificate validates, she transfers the money.
  3. Authentication: Lester uses a Certificate from Certificate Authority 1 to Authenticate to Thelma’s system to perform money transfers. Elmer Authenticates to Thelma’s system using a Counterfeit Certificate with Lester’s name in it and transfers Lester’s money to his account.

There are several ways that Counterfeit Certificates can be issued:

  1. Misidentification: A perpetrator uses the standard Certificate Authority Enrollment process but manages the to trick the Certificate Authority or Registration Authority into thinking they are somebody they are not and gets a Counterfeit Certificate issued.
  2. Registration Authority Compromise: A perpetrator infiltrates a Registration Authority or gains access to their credentials so that they can authorize requests for Counterfeit Certificates that are sent to the Certificate Authority.
  3. Certificate Authority Compromise: See Certificate Authority Compromise.
 

Cryptography

 

The art and science of hiding information. It has evolved to make use of mathematics to convert data into encrypted text in digital systems.

 
« OlderNewer »