When I was studying for my CCIE security lab exam, using the Windows Server as a Certificate Authority (CA) was still on the blueprint. I also remembered that Cisco was gradually introducing the use of the Cisco router as a local CA and so we had to be familiar with both of them. In this series, we will look at the Certificate Authority in detail and also configure the Cisco router and ASA to act as certificate authorities. This is useful for various things especially for establishing VPN tunnels that use RSA signatures for authentication.
Before we talk about the Certificate Authority, let’s first go through an introduction about cryptography. In its simplest form, cryptography is about information hiding so that we prevent unauthorised disclosure of that information. There are two basic terms used when discussing cryptography namely: encryption and decryption.
Encryption is the process of transforming a plain text into a cipher text, while decryption is the reverse process. Encryption and decryption are achieved using various algorithms (known as ciphers) but the strength of any encryption/decryption process is not based entirely on the algorithm used but on another factor known as the key.
Let’s assume we have a plain text “intense school” that we want to keep secret while transferring that text across the Internet. We come up with an algorithm that says that we will replace every alphabet with another alphabet. This is known as our cipher. The next thing will then be to determine how to replace these alphabets. We agree that every alphabet is moved two places forward i.e. ‘a’ becomes ‘c’, ‘z’ becomes ‘b’ and so on. This is our key. Following our encryption process, the cipher text becomes “kovgouguejqqn“. This cipher text doesn’t make sense naturally to any one and thus our encryption process is complete. To decrypt it, the receiver must know the cipher and the key.
While some algorithms are closed-source, the workings of many of them are in fact public knowledge; thus the key is a major “hush hush” in the entire process. This then brings us to the two types of cryptography that we have: Symmetric key cryptography and Asymmetric key cryptography.
In Symmetric key cryptography, the same key is used for both the encryption and decryption processes. It is also known as shared-secret cryptography and examples of ciphers that fall under this category include DES, RC4 and AES. Symmetric key algorithms are much faster than their asymmetric counterparts but the major drawback of these algorithms is how to share the keys securely beforehand.
Asymmetric key cryptography on the other hand uses different keys for the encryption and decryption processes. There is usually a pair of keys – private and public key – where only the private key of a pair can decrypt what the public key of that same pair encrypted and vice versa. As the names suggest, the private key is never to be shared while the public key can be distributed. Asymmetric key cryptography is the area of focus when we want to discuss the certificate authority. Let’s discuss how asymmetric key cryptography achieves authentication and confidentiality.
Asymmetric key cryptography: Authentication and Confidentiality
Authentication is about verifying the identity of someone or something. So how can we use Asymmentric key cryptography to accomplish this? Let’s go back to the private and public keys. To achieve the authentication function, the sender (the person who wants to authenticate himself) will encrypt a message using his private key and send this encrypted message to the receiver who already has the sender’s public key. Since the private key should never be shared, and as such should only ever belong to one person, the receiver can be certain that he is communicating with the sender because the sender’s public key was able to decrypt the message correctly.
It should be noted that anyone that has the sender’s public key can decrypt the message encrypted using the sender’s private key but this is not an issue because we are dealing with authentication. Moving on to confidentiality however, we are concerned about making sure that only the intended party can decrypt the message. Thus the sender encrypts the message using the receiver’s public key so that only the receiver’s private key can decrypt the message.
Now that we have a good understanding about Asymmetric key cryptography, let’s look at the certificate authority and why we need it. We need to understand first the security challenge.
In the diagram above, the user wants to connect to the Good Server using a secure connection, HTTPS. It will go through the authentication process that we have described above for Asymmetric key cryptography. The first step is that the user needs to have the server’s public key so that she can authenticate the server. The question then is, “How does the user get that public key?” If the server was to just send its public key to the user, how will the user know that the public key it receives is from the Good Server and not from the Bad Server?
This is one of the reasons why we need a Certificate Authority because it acts as a trusted third party in the Asymmetric key cryptography. The CA issues digital certificates to requesting parties in which it basically says, “Hey, the public key and identity contained in this digital certificate have been verified by me and you can go ahead and trust it”.
As we have described, the digital certificate contains the identity of the owner, the owner’s public key and is digitally signed by the Certificate Authority (it also contains some other things like period of validity, serial number and so on). A digital signature is a message encrypted using a private key and is used for authentication. This is done by the CA so that anyone who receives that digital certificate can verify the CA who issued the digital certificate.
How does all this work? Find out in the next article.
We will stop here for now and in the next article, we will further look into the workings of Asymmetric key cryptography when using a CA. Although cryptography is a very wide topic, we will keep things at a high level and with my explanations, I hope that I can simplify complex areas.
I hope you have found this article insightful and I’ll see you in the next one.