Table of Contents
Advertisement
assumptions are true only if unauthorized personnel have not gained access to the
user's machine or password, the password for the client software's private key
database has been set, and the software is set up to request the password at
reasonable frequent intervals.
NOTE
Neither password-based authentication nor certificate-based
authentication address security issues related to physical access to
individual machines or passwords. Public-key cryptography can
only verify that a private key used to sign some data corresponds to
the public key in a certificate. It is the user's responsibility to
protect a machine's physical security and to keep the private-key
password secret.
These are the steps shown in Figure J-5:
The client software, such as Communicator, maintains a database of the private
1.
keys that correspond to the public keys published in any certificates issued for
that client. The client asks for the password to this database the first time the
client needs to access it during a given session—for example, the first time the
user attempts to access an SSL-enabled server that requires certificate-based
client authentication. After entering this password once, the user doesn't need
to enter it again for the rest of the session, even when accessing other
SSL-enabled servers.
The client unlocks the private-key database, retrieves the private key for the
2.
user's certificate, and uses that private key to digitally sign some data that has
been randomly generated for this purpose on the basis of input from both the
client and the server. This data and the digital signature constitute "evidence"
of the private key's validity. The digital signature can be created only with that
private key and can be validated with the corresponding public key against the
signed data, which is unique to the SSL session.
The client sends both the user's certificate and the evidence (the randomly
3.
generated piece of data that has been digitally signed) across the network.
The server uses the certificate and the evidence to authenticate the user's
4.
identity. (For a detailed discussion of the way this works, see Appendix K,
"Introduction to SSL.")
At this point the server may optionally perform other authentication tasks,
5.
such as checking that the certificate presented by the client is stored in the
user's entry in an LDAP directory. The server then continues to evaluate
whether the identified user is permitted to access the requested resource. This
Appendix J
Introduction to Public-Key Cryptography
Certificates and Authentication
809
Advertisement
Table of Contents
Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR
Related Products for Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN