How Authentication Systems Use Digital Certificates






How Authentication Systems Use Digital Certificates

I’ve mentioned a couple of times that most authentication systems are able to integrate with PKI systems that use Digital Certificates. What I’m about to tell you is a broad generality, but it is a good description of how this combination works. The variances in implementation are due to changes in how the different vendors have configured their systems.

  1. An X.509 Digital Certificate is generated. (This can be done by and existing PKI system, or the authentication system can have one of its servers hand this task. The Digital Certificate can also be stored on a smart card or token. When the token/card are slotted in to the client machine, it’s available for use.)

  2. The Digital Certificate, along with its public key, are added to the key server. (A certificate on a token/card will already have been stored in the key server.)

  3. When a connection between a client and a server are initiated (for example), the client sends its Digital Certificate to the server. At this point only the certificate, and not the public key, is sent.

  4. The authentication system’s server validates the certificate by checking with the key server to see if this certificate is in the key server’s list of trusted entities.

  5. If something is wrong with the certificate, the connection is dropped.

  6. If the certificate is okay, the authentication system validates the certificate.

  7. The authentication server creates a session key, encrypts it with public key of the certificate and sends the encrypted information back to the client. (Okay, now we can begin communicating!)

  8. The client uses its private key to decrypt the information received from the server and extract session key.

  9. That session key is used to encrypt and decrypt the information that is now flowing back and forth between the two systems.

  10. Some session keys will have a time limit attached to them and the session will be renewed or dropped after that time period. Other session keys are available for use until the client ends the session.

So, you can see there is a lot of communication back and forth between the client and the server. This takes time to accomplish, but normally it happens so quickly that the user doesn’t really notice any lag in time.



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows