Glossary
SINAUT MD741-1
150
C79000-G8976-C236-05
X.509
A kind of "seal" which proves the authenticity of a Public Key (
asymmetrical encryption) and appendant data.
So that the user of the public key for encryption can be certain that the
public key conveyed to him really does come from its issuer and hence
from the entity that is to receive the data to be sent, certification can be
used. This verification of the authenticity of the public key and the
consequent link between the identity of the issuer and his key is
performed by a
Certification Authority or CA.
This is done according to
the rules of the CA, for example by the issuer of the public key being
required to appear in person. Following successful inspection the CA
signs the public key with its (digital) signature. A certificate is created.
An X.509(v3) certificate therefore contains a public key, information
about the key owner (given as Distinguished Name (DN)), permitted
designated uses, etc. and the signature of the CA.
The signature is created as follows: from the bit sequence of the public
key, the data on its owner and other data, the CA creates an individual
bit sequence which can be up to 160 bits long, the HASH value. This is
encrypted by the CA using its private key and added to the certificate.
Encryption with the CA's private key is proof of authenticity, i.e. the
encrypted HASH character sequence is the digital signature of the CA.
Should the data of the certificate be changed without authorization, the
HASH value is no longer correct and the certificate then becomes
worthless.
The HASH value is also known as the fingerprint. As it is encrypted
with the private key of the CA, anyone in possession of the
corresponding public key can decrypt the bit sequence and thus check
the authenticity of the fingerprint or signature in question.
Involving certification authorities means that not every key owner
needs to know the other one, but only the certification authority used.
The additional key information also simplifies the administrability of the
key.
X.509 certificates are employed, e.g. in e-mail encryption, using
S/MIME or IPsec.