Lesson
11: Security Basics
Why Security?
| Identity
| Integrity
| Active
Audit
User Authentication with Kerberos
Kerberos is another technology. It is one
that has been broken into historically; however, it provides
a good level of security. With Kerberos you create a ticket
that’s going to have a specific time allocated to it.
So with Kerberos, once a ticket is issued to me, the knowledge
that that ticket was sent plus my login itself is going to
ensure that I have access to that system. So the tickets or
credentials are issued by a trusted Kerberos server that you
allow on with some specific ID that you have.
How Public Key Works
You’ll hear a term called a Public
Key. This is how a Public Key works. A Public Key works in
conjunction with something called a Private Key.
This is technology that was actually developed back in the
’70s. The Private Key is going to be something that
you’re going to keep to yourself.
The Private Key is going to be something that exists perhaps
on your PC or perhaps as a piece of code that you have.
A Public Key is going to be something that you publish to
the outside world. What you’ll do is take your document
and send it out with your Public Key that’s going to
be able to be accessed by a user that’s going to receive
your document, but you’re going to encrypt it using
your Private Key.
So by using these two things together, another user that’s
going to receive your document can utilize your Public Key
to ensure that, in fact, the document that you send is the
document that you thought it was.
So the two keys together, in essence, create a unique key,
something that’s uniquely known by the combination of
the private and the Public Key.
Digital Signatures
Now, Digital Signatures takes us a little
bit further. With Digital Signatures what we’re going
to do is take the original document and run it along with
the Private Key and we’re going to create something
called the Hash. This is going to be another unique document
that’s created with a Digital Signature.
Now, that unique document is going to be sent along, and your
Public Key is going to be able to be used in conjunction with
that new smaller document. If that Public Key winds up with
that document, then you know the confidentiality of the original
document is in place.
So here we’ve ensured both the user that’s sending
the document as well as the document itself as being something
that’s truthful and, in fact, the document that we thought
was sent out. So in this way, we know that the document hasn’t
been altered.
Certificate Authority
You might want to ensure that important documents
come out with some kind of encryption or data signatures so
you know they are exactly what the sender intended. Certificate
Authority allows you to do just that. It relies on a third
party to issue those kinds of certificates that are going
to ensure that you are who you say you are.
Why would you want a third party to do that? Well, there’s
a number of reasons. One may be cost. Maybe it’s more
cost effective to have a third party do it rather than issue
Certificate Authority yourself. But another reason is if you’re
involved with third parties. Say I’m a manufacturer
and I have a supplier. Well, that same supplier may issue
supplies to a competitor of mine.
So I don’t want to issue certificates from my corporate
database to the supplier because it could be used maliciously
by somebody at my competitor’s site. So I want a trusted
third party; somebody that everybody trusts equally. So the
Certificate Authority will verify identity. He knows who all
the different players are. They’ll sign the digital
certificate containing the device’s Public Key. So this
becomes the equivalent of an ID card. Now, there’s a
number of different partners that we use with this. These
include Verisign, Entrust, Netscape, and Baltimore Technologies.
<<Back
[1] [2]
[3]
[4]
[5] [6]
[7] [8]
[9] [10]
[11]
[12]
[13]
Next>>
|
