Digital Signatures and Certificates
When we think of VPNs, often our first thought is that of encryption of the user data.
But adversaries or those intent on reading the data could record a conversation and then replay
the replies between to participants. What we need to do is to be able to ensure the source of
the data is genuine, and that is where digital signatures and certificates comes in.
To construct a Digital Signature, public key encryption systems must be in place. The
construction of the Digital Signature entails applying a hash function to the message by concatenation
of the message with a known secret key and then applying a mathematical function which will
produce a fixed length output known as the digest. The digest is then encrypted with the public
decryption key which produces a signature that can be appended to the message to verify that
the message is from the genuine source.
The receiver recalculates the hash function and compared with the signature after applying
the public key. If the two match, then because only the originator could have known the hash
function and the private key, the message must be genuine.
Message Digest algorithms use Hash functions to map many potential inputs to each of
a large number of outputs. What is normally produced is a fixed length field, typically a few
hundred bits in length. A secret key is shared between sender and receiver and by concatenating
this with a message for transfer, the digest is produced.
MD5 (Message Digest 5) is probably the most common hash function used, and it produces
a 128 bit digest which is often appended to the header before the packet is transmitted. Any
change in the message will cause the digest to change, and even the source and destination
IP addresses can be used together with the message contents when creating the digest, which
validates the addresses.
Another popular hashing algorithm is SHA (Secure Hash Algorithm) that produces a 160
bit digest ensuring greater security than MD5.
It doesn't matter how long the digest is, an identical digest will always result for
an identical packet. But anyone wishing to attack the system could monitor exchanges and determine
which packets sent in what ever order would result in some known result. This result could
therefore be reproduced by replay of the messages. This is known as a collision attack.
HMAC (Hash-based Message Authentication Code) can be used to combat collision attacks
by including two calculated values know as ipid and opid, which are initially calculated using
the secret key for the first packet and recalculated for subsequent packets. The values are
stored after each packet and recovered for use in the calculation of the digest for the next
packet. This ensures that the digest is always different even for identical packets.
A Digital Certificate is produced using some known information such as name, address,
mother's maiden name, house number, National Insurance number, or indeed anything. This information
is appended to the public key and then used as part of the hash function to create the digest
which is then encrypted using the private key through a secure encryption system such as RSA or AES.
A Digital Certificate can be validated by passing it through the public encryption process
with the public key for the user to yield the digest. This can be compared with the calculation
of the digest from the claimed identity of the user and their public key. If the two calculations
yield the same result then the certificate is valid. Digital certificates are appended to messages
to verify the authenticity of the source of the message.
This article on Pseudo Wires was written by David Christie, MD at NSTUK Ltd, Website
Network Systems Training (NST)
More Network Security Articles:
• Wireless Network Security
• Network Security by Filtering
• Designing Physical Network Security
• Wireless Network Security - The Basics of Securing a Wireless LAN
• Detecting Network Sniffers
• How to Secure Your Small Business Network
• The Role of Security Penetration Testers
• What is a Botnet Attack and How to Identify It?
• NMAP (Network Mapper) Port Scanner
• Denial of Service Attack (DoS) Detection and Mitigation