Authentication Confirms An Identity - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Appendix B. Introduction to Public-Key Cryptography
provides generally recognized proof of a person's identity. Public-key cryptography uses certificates to
address the problem of impersonation.
To get personal ID such as a driver's license, a person has to present some other form of identification
which confirms that the person is who he claims to be. Certificates work much the same way.
Certificate authorities (CAs) validate identities and issue certificates. CAs can be either independent
third parties or organizations running their own certificate-issuing server software, such as Certificate
System. The methods used to validate an identity vary depending on the policies of a given CA for the
type of certificate being requested. Before issuing a certificate, a CA must confirm the user's identity
with its standard verification procedures.
The certificate issued by the CA binds a particular public key to the name of the entity the certificate
identifies, such as the name of an employee or a server. Certificates help prevent the use of fake
public keys for impersonation. Only the public key certified by the certificate will work with the
corresponding private key possessed by the entity identified by the certificate.
In addition to a public key, a certificate always includes the name of the entity it identifies, an expiration
date, the name of the CA that issued the certificate, and a serial number. Most importantly, a certificate
always includes the digital signature of the issuing CA. The CA's digital signature allows the certificate
to serve as a valid credential for users who know and trust the CA but do not know the entity identified
by the certificate.
For more information about the role of CAs, see
B.4.2. Authentication Confirms an Identity
Authentication is the process of confirming an identity. For network interactions, authentication
involves the identification of one party by another party. There are many ways to use authentication
over networks. Certificates are one of those way.
Network interactions typically take place between a client, such as a web browser, and a server. Client
authentication refers to the identification of a client (the person assumed to be using the software) by
a server. Server authentication refers to the identification of a server (the organization assumed to be
running the server at the network address) by a client.
Client and server authentication are not the only forms of authentication that certificates support. For
example, the digital signature on an email message, combined with the certificate that identifies the
sender, can authenticate the sender of the message. Similarly, a digital signature on an HTML form,
combined with a certificate that identifies the signer, can provide evidence that the person identified by
that certificate agreed to the contents of the form. In addition to authentication, the digital signature in
both cases ensures a degree of nonrepudiation; a digital signature makes it difficult for the signer to
claim later not to have sent the email or the form.
Client authentication is an essential element of network security within most intranets or extranets.
There are two main forms of client authentication:
• Password-based authentication . Almost all server software permits client authentication by
requiring a recognized name and password before granting access to the server.
• Certificate-based authentication . Client authentication based on certificates is part of the SSL
protocol. The client digitally signs a randomly generated piece of data and sends both the certificate
490
Section B.4.6, "How CA Certificates Establish Trust".