Authentication means that the identity of an entity (a person, client, or server) has been verified to either a server or a client. Authorization means that an entity has permission to use a resource or file. An entity must be authenticated before it can be authorized to use a resource or file.
To maintain secure communications between a client and host, public key cryptography techniques are used for:
Authentication Verifying the identity of both the client and the server. Public-key cryptography techniques use digitally signed certificates that identify network entities.
Encryption Modifying data so that it can be read only by the party for whom it is intended. When used with a user’s private key, certificates encrypt and decrypt messages.
Unencrypted messages are known as plain text. Encoding the contents of a message is called encryption. This encrypted message is the cipher text. Decryption is the process of retrieving the plain text from the cipher text. A key is usually required to perform encryption and decryption.
Public key encryption uses a pair of keys for encryption and decryption. One key is secret (the private key) and the other key is distributed (the public key). You send your digitally signed public key (certificate) to anyone with whom you wish to communicate using encoded data.
Messages that are sent to you are encrypted with your distributed public key and decrypted by your private key, while messages sent by you are encrypted with your private key and decrypted with your distributed public key. RSA encryption is a widely used public-key encryption system.
Public key certificates provide a way to identify and authenticate clients and servers on the Internet. Public key certificates are administered and issued by a third party known as a certification authority (CA). A subject (individual, system, or other entity on the network) uses a program to generate a key pair and submits the public key to the CA along with identifying information (such as name, organization, e-mail address, and so on). This is known as a certificate request. The CA issues a digitally signed certificate. A digital signature is a block of data that is created using a private key.
The CA ties the certificate owner to the public key within the certificate. The subject then uses the certificate, along with the private key to establish identity. Once this is done, whomever the subject is communicating with knows that a third party has vouched for his identity.
This process requires three steps:
A client submits a request for, and receives, a certificate from the CA.
An administrator installs the CA’s certificate on the server and marks it trusted. Any client certificate signed by the same CA will now be trusted and accepted by the server.
The client supplies its certificate and negotiates a secure connection with the server.
SSL provides security for network connections. Specifically, SSL uses public-key encryption to provide:
Client and server authentication using certificates
Encryption to prevent third parties from understanding transmitted data
Integrity checking to detect whether transmitted data has been altered
Packets for other protocols can be embedded inside SSL packets. A connection in which the application protocol is embedded inside SSL is an SSL-tunnelled connection.
Both IIOP and HTTP can be tunnelled inside SSL, which means that these protocols take advantage of SSL security features. For example, HTTPS connections embed HTTP packets inside SSL packets. Your Web browser creates a secure HTTP connection any time you load a page from a URL that begins with https.
