Single Sign-On Deployment Guide

[Contents] [Previous] [Next] [Last]

Appendix A
Netscape's Use of Public-Key Cryptography

Public-key cryptography and related standards underlie key security features of many Netscape products, including signed and encrypted email, object signing, single sign-on, and SSL. This document introduces some basic concepts of public-key cryptography that underlie Netscape security features.

For a comprehensive discussion of these topics, see Applied Cryptography by Bruce Schneier (Wiley, 1996).

Public-Private Key Pairs

Public-key cryptography involves a pair of keys--a public key and a private key--associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data. Each public key is published as part of a certificate, and the corresponding private key is kept secret. Data encrypted with your public key can be decrypted only with your private key. Figure 17 shows a simplified view of the way this works.

Figure 17    Using public and private keys for encryption

The scheme shown in Figure 17 lets you freely distribute a public key, and only you will be able to read data encrypted using this key. In general, to send encrypted data to someone, you encrypt the data with that person's public key, and the person receiving the encrypted data decrypts it with the corresponding private key.

As it happens, the reverse is also true: data encrypted with your private key can be decrypted only with your public key. This would not be a desirable way to encrypt sensitive data, however, because it means that anyone with your public key, which is by definition published, could decrypt the data. Nevertheless, private-key encryption is useful, because it means you can use your private key to sign data with your digital signature. Client software such as Communicator (with the aid of your public key) can then confirm that the message was signed with your private key and that it hasn't been tampered with since being signed. For more information about the way this works, see Digital Signatures.

Certificates

A certificate is an electronic document used to identify an individual, company, or other entity. Certificate authorities (CAs) are entities that validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software (such as Netscape Certificate Server). The methods used to validate an identity vary depending on the policies of a given CA. In general, before issuing a certificate, the CA must use its published verification procedures for that type of certificate to ensure that an entity requesting a certificate is in fact who it claims to be.

Before submitting a request for a certificate to a CA, client software such as Communicator generates a public key and the corresponding private key. The certificate issued by the CA binds the public key to the name of the requesting entity (such as the name of an employee or a server). Certificates help prevent the use of fake public keys for impersonation.

A certificate is like a driver's license, a passport, or any other personal ID that provides generally recognized proof of a person's identity. A certificate always includes a public key, the name of the entity it identifies, an expiration date, the name of the CA that issued the certificate, a serial number, and other information. Most importantly, a certificate always includes the digital signature of the issuing CA. The CA's digital signature allows the certificate to function as a "letter of introduction" for users who know and trust the CA but don't know the entity identified by the certificate.

Types of Certificates

Communicator recognizes five kinds of certificates. The first two in this list are used with the Secure Sockets Layer (SSL), a standard protocol for authentication and encryption over TCP/IP networks:

Navigator 3.x and earlier versions recognize only SSL certificates and CA certificates. Communicator recognizes all five. It's also possible to issue a single certificate that can function as both an S/MIME certificate and a client SSL certificate.

Any certificate binds a distinguished name (DN) to a public key. A DN is the string representation of an entity's name. It consists of a series of comma-separated attribute-value assertions (AVAs). Here is an example:

uid=doe,e=doe@netscape.com,cn=John Doe,o=Netscape Communications Corp.,c=US
Each attribute tag, such as uid, labels a value, such as doe. The attribute tags used in a DN may vary somewhat from one organization to another, but the combination of AVAs must be unique to the entity the certificate identifies.

Every certificate includes the following information:

A certificate can also contain extensions, not listed here, that provide additional data used by the client or server. For example, certificates used with Netscape products include the Netscape certificate type extension, which indicates the type of certificate--that is, whether it is a client SSL certificate, a server SSL certificate, a certificate for signing email, and so on. Certificate extensions can also be used for a variety of other purposes.

Keeping Track of Certificates

When a user receives a client SSL certificate, it is typically installed in the user's copy of Communicator or other client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. This means, for example, that you can move your certificates (and the corresponding private keys) from one computer to another on floppy disks.

Communicator also supports PKCS #11, which governs communication with devices like smartcards and PCMCIA cards. This support means that Communicator can exchange information with smartcards in smartcard readers attached to client machines. For example, Communicator can use certificates and private keys stored on smartcards as well as those stored within Communicator itself.

Navigator 3.x doesn't support PKCS #11 or PKCS #12, although it is possible, for example, to manually move certificate (cert5.db) and key (key.db) database files from a central directory on the network into the Navigator directory (on Windows 95) or equivalent.

To validate a certificate, Netscape client software relies in part on its list of accepted CAs. A CA can be a publicly recognized independent company (such as those listed at Certificate Authority Services), or it can be an individual or department recognized only within a corporation's intranet or extranet (such as the internal Netscape CA). The user can add CAs to the list of trusted CAs and, if necessary, delete CAs that the user decides not to trust. If a certificate cannot be traced back to one of the CAs on Communicator's list, the user identified by that certificate can't be authenticated by a server that supports single sign-on.

To view your current list of CAs in Communicator, click the Security button near the top of the Navigator window, then click Signers under Certificates. The list of certificate signers (that is, CAs recognized by your copy of Communicator for validating certificates) looks like the one shown in Figure 18.

Figure 18    Viewing CA certificates in the Security Info window

Communicator's list of certificate signers is just a collection of CA certificates--that is, certificates issued by CAs for the purpose of identifying themselves. You can select a CA and use the Edit button to control the kind of certificates (such as SSL or email) certified by that CA that you are willing to accept. You can also use the Delete button to delete a CA from the list.

Mission Control allows network administrators to set up this initial list for copies of Communicator and also to modify it dynamically for copies of Communicator Professional Edition. Since both Communicator and Navigator 3.x come with a default list of CAs, it may also be necessary to remove some of them if an administrator wants users to trust only certain CAs, such as those operated by a company.

In Navigator 3.x, you can view the list of all installed certificates by choosing Security Preferences from the Options menu, then clicking Site Certificates. To view the CA list only, choose Certificate Authorities from the pop-up menu near the top of the window. You can then edit or delete any particular CA listing much as you can in Communicator.

Servers maintain similar lists of CAs. To view the list of CAs for a given server, follow these steps from within the Administration Server:

  1. Click the Keys & Certificates tab.

  2. Click Manage Certificates in the left frame.

  3. Using the pop-up menu, select the server whose certificates you want to see, then click OK.
The frame that appears next is shown in Figure 19. It includes all certificates in the server's database, including CA certificates. When you click the name of a certificate listed as a CA, a dialog box appears that allows you to delete the certificate, trust the CA, or not trust the CA.

Figure 19    A server's list of certificates

For an overview of the way certificates are used to confirm a signer's identity, see Authenticating a User's Identity.

Digital Signatures

When Netscape software signs data, such as an email message or Java code, it first creates a one-way hash of that data. A one-way hash (also called a message digest) is a number of fixed length with the following characteristics:

As explained in Public-Private Key Pairs, it's possible to use your private key for encryption and your public key for decryption. Although this is not desirable when you are encrypting sensitive information, it is a crucial part of digitally signing any data. Instead of encrypting the data itself, the signing software creates a one-way hash of the data, then uses your private key to encrypt the hash. The encrypted hash is known as the signer's digital signature.

Figure 20 shows a simplified view of the way a digital signature can be used to validate the integrity of signed data.

Figure 20    Using a digital signature to validate data integrity

Figure 20 shows two items transferred to the recipient of some signed data: the original data and the digital signature, which is a one-way hash (of the original data) that has been encrypted with the signer's private key. To validate the integrity of the data, Communicator first uses the signer's public key to decrypt the hash. It then uses the same hashing algorithm that was used to generate the original one-way hash to generate a new one-way hash of the same data. (Information about the hashing algorithm used is also sent with the digital signature, although this isn't shown in the figure.) Finally, Communicator compares the new hash against the original hash. If the two hashes match, the data has not changed since it was signed. If they don't match, the data may have been tampered with since it was signed, or the signature may have been created with a private key that doesn't correspond to the public key presented by the signer.

If the two hashes match, the recipient can be certain that the public key in the signer's certificate corresponds to the signer's private key. To confirm the identity of the signer, however, also involves confirming the validity of the digital signature of the CA who issued the signer's certificate. For a discussion of the way this works, see Authenticating a User's Identity.

The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed some data, it is difficult to deny doing so later--assuming that the private key has not been compromised or out of the owner's control. This quality of digital signatures is described as nonrepudiation. In some situations, a digital signature may be as legally binding as a handwritten signature. Therefore, signers should take great care to ensure that they can stand behind any data they sign.

Getting a Certificate

The public key and the corresponding private key are created locally by the server or client software that requests the certificate. To help ensure that the private key isn't compromised, it remains on the local machine, and client software or the system administrator submits the public key along with other information to the certificate authority (CA) that issues the certificate. The CA may be an independent company that issues certificates for a fee or an administrator running a Netscape Certificate Server within an organization. The CA verifies the identity of the requester according to the CA's security policies, then issues the certificate.

In addition to the public key, DN, and other information, every certificate includes the name and digital signature of the CA that issued it, as shown in Figure 21.

Figure 21 shows a simplified view of the way a user named John Doe might use Communicator to obtain a client SSL certificate from a CA. The details of this procedure vary depending on the kind of certificate requested, the software doing the requesting, and the security policies of the CA. However, the overall process works basically the same way for any software (including Communicator, Navigator 3.x, and SuiteSpot servers) used to request any kind of certificate.

Figure 21    Using Communicator to request a client certificate

As shown in the figure, John Doe provides the CA with proof of his identity, typically including an email address, employee number, or other information that uniquely identifies him for the purposes of the CA. This is often done by filling in a form. Communicator automatically generates a public-private key pair, sends the public key and information provided by the user to the CA, and stores the private key in the local private-key database. (If this is the first private key it has generated for the user's profile, Communicator also asks the user to specify a password, which it uses from that point on to protect the private-key database.)

The CA uses the information provided by John Doe to confirm his identity. For highly sensitive certificates, the confirmation process may require notarized documents or a personal interview; in other cases it may simply involve providing a Unix or NT login and password, or some other information known only to the user and the network administrator.

The CA can optionally pass some of the information provided by the user to a Verification Gateway Interface (VGI) script that populates the certificate with data drawn from a database. For example, the VGI script might fill in the company's legal name and the user's legal name, thus avoiding problems related to typos, nicknames, and so on. After the CA has verified John Doe's identity according to the requirements of the certificate type, the CA creates a certificate that includes a DN for John Doe; a public key; other information, such as the dates during which the certificate is valid and the certificate's serial number; and most importantly, the CA's digital signature on the certificate.

The CA's digital signature allows John Doe to use the certificate as a "letter of introduction" to servers that trust the CA. The CA's signature is obtained by encrypting a one-way hash of John Doe's certificate with the CA's private key. For more details about the way a digital signature is created, see Digital Signatures.

Authenticating a User's Identity

SSL-enabled servers can be configured to require client authentication, or cryptographic evidence of the user's identity. When a server configured this way requests client authentication during the SSL handshake, the client sends the server both a certificate and a separate piece of digitally signed data to authenticate itself. The server uses the digitally signed data to validate the public key in the certificate and to authenticate the identity the certificate claims to represent.

Both Communicator and Navigator 3.x create a digital signature in this situation by first creating a one-way hash from a piece of randomly generated data, called the nonce. (The client and the server both contribute toward the creation of the nonce, which is unique to each SSL session.) The hash of the nonce is then encrypted with the private key that corresponds to the public key in the certificate being presented to the server.

To authenticate the binding between the public key and the person or other entity identified by the certificate that contains the public key, a server configured to support single sign-on as described in this guide must receive a "yes" answer to the five questions shown in Figure 22. The server's list of trusted CAs, on the right side of the figure, determines which certificates the server will accept.

Figure 22    How a server authenticates a user's certificate

The server goes through these steps to authenticate the user's identity:

  1. Does the user's public key validate the user's digital signature? The server checks that the user's digital signature can be validated with the public key in the certificate. If so, the server has established that the public key asserted to belong to John Doe matches the private key used to create the signature and that the nonce has not been tampered with since it was signed.
    However, at this point the binding between the public key and the DN specified in the certificate has not yet been established. The certificate might have been created by someone attempting to impersonate the user. To authenticate the binding between the public key and the DN, the server must also complete steps 3 and 4.

  2. Is today's date within the validity period? The server checks the certificate's validity period. If the current date and time are outside of that range, the authentication process won't go any further. If the current date and time are within the certificate's validity period, the server goes on to step 3.

  3. Is the issuing CA a trusted CA? Each SSL-enabled server maintains a list of trusted CA certificates. If the DN of the issuing CA matches the DN of a CA on the list of trusted CAs, the answer to this question is yes, and the server goes on to step 4. If the issuing CA is not on the list, the client will not be authenticated unless it can verify a certificate chain ending in a CA that is on the list (see Verifying Certificate Chains for details). Administrators can control which certificates are trusted or not trusted within their organizations by controlling the lists of CA certificates maintained by clients and servers.

  4. Does the issuing CA's public key validate the issuer's digital signature? The server uses the public key from the CA's certificate (which it found in its list of trusted CAs in step 3) to validate the CA's digital signature on the certificate being presented. If the information in the certificate has changed since it was signed by the CA or if the public key doesn't correspond to the private key used by the CA to sign the certificate, the server won't authenticate the user's identity. If the CA's digital signature can be validated, the server treats the user's certificate as a valid "letter of introduction" from that CA and proceeds to step 5.

  5. Is the user's certificate listed in the LDAP entry for the user? This step allows a system administrator to revoke a user's certificate even if it passes the tests in all the other steps. To revoke a certificate, the administrator simply removes it from the user's entry in the LDAP directory. All servers that are set up to perform this step will then refuse to authenticate that certificate or establish a connection.
If the answer to all five questions is yes, the server considers the client to be authenticated, checks what resources the client is permitted to access according to the server's access control lists (ACLs), and establishes a connection with appropriate access. If the answer to any of the questions is no, the user identified by the certificate cannot be authenticated, and the user is not allowed to access the server.

[Contents] [Previous] [Next] [Last]

Last Updated: 10/20/97 14:15:46

Copyright © 1997 Netscape Communications Corporation

Any sample code included above is provided for your use on an "AS IS" basis, under the Netscape License Agreement - Terms of Use