3.2. Certificate based authentication

The disadvantages of password authentication, which in many particular cases interfere with its practical use, are the inconvenience of working with a large number of users, as well as the need to have a preliminary secret with the authentication server. These problems can be solved by using asymmetric cryptography schemes, which are applied to authentication in the use of certificates.

Certificate - a block of information containing data that uniquely identifies the user, his public key, the time of the key's validity. In addition, the certificate must be signed by an attorney - a special certifying organization that is trusted by users. A signature algorithm is an algorithm that the verifier uses to sign the certificate. The signature is created by passing the certificate text through a one-way hash function. The value obtained at the output of the hash function is encrypted with the private key of the certifying authority. It is assumed that the public key of the verifier is publicly available and can be freely obtained by the user from public sources.

When you need to verify the identity of the user, he presents his certificate in two forms - open, that is, the one in which he received it in the certifying organization, and closed, encrypted using its own private key. The authentication party takes the user's public key from the public certificate and decrypts the private certificate with it. Matching the result to the public certificate means successful authentication. In order to check whether this certificate is certified by a certifying organization, the publicity of the issuing certificate is decrypted by the public key of the organization that issued the certificate. If the result is the same certificate, it means that the user has actually registered with this certifying organization and is who he claims to be. Currently, there are quite a number of special certificate authorities that store and authenticate user keys. The most popular user certification protocol for today is the X.509 protocol, which is supported by most browsers, email clients, and information systems.

You can get a certificate from a commercial organization. This is done, for example, by Verisign (http://www.verisign.com). For certification within the local network, you can use special software. For the Windows platform, this may be a certificate server from the delivery of Windows 2000 Advanced Server.