Welcome to The Professional Security Testers Warehouse for the CEH V7 GPEN CPTS CREST GCIH GREM OPST
Search
Nickname Password Security Code Security Code Type Security Code  
FITSI the certification program for the federal workforce

CCCure Quiz

We recommend:

Best hacking and penetration testing magazine in the world

Video Library

Skimming for ID theft
5 / 2
Views: 218
Comments: 2
11-01-2008 00:18

Latest version of ATM skimmer hidden behind a speaker looking device
5 / 3
Views: 232
Comments: 0
11-01-2008 00:11

ATM Scam, do check your ATM machine before using it
5 / 1
Views: 213
Comments: 0
10-31-2008 23:59

Forums Posts

Methodologies

Recommended PodCasts

Recommended Sites

Security Blogs

Security Forums

Best Downloads

Best Web Links

Survey

Whic of the following certifications would you like to get?

GPEN
GCIH
CEH
CREST
GREM
GSEC
CISSP
Security+
Other (please leave a comment)



Results
Polls

Votes: 347
Comments: 0

Who's Online

There are currently, 176 guest(s) and 2 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
The PST Resources Warehouse :: View topic - Smart cards and certs
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Private messagesPrivate messages   Log inLog in 

Smart cards and certs

 
Post new topic   Reply to topic    The PST Resources Warehouse Forum Index -> Security+ Questions about any of the domains/CBK.
View previous topic :: View next topic  
Author Message
mhorowit
Newbie
Newbie


Joined: Feb 15, 2010
Posts: 3
PostPosted: Sun Mar 28, 2010 1:32 am    Post subject: Smart cards and certs Reply with quote
Need some clarity on what's on a smart card vice a PKI cert.
From one source:"Smart cards... have embedded certificates used for authentication". "The certificate holds a user's private key"

When we study PKI, we see that the certificate is used to bind the user to his public key. In fact of the several items held on the PKI cert is the public key. The private key is kept elsewhere.

Seems like a conflict. Are we talking about two different certificates? - Mike
Back to top
View user's profile Send private message Send e-mail
cdupuis
Newbie
Newbie


Joined: Jul 11, 2008
Posts: 30
PostPosted: Mon Mar 29, 2010 5:01 pm    Post subject: Certificates versus PKI Reply with quote
Hum....

Let's see if I can shed some light.

A certificate is based on the X509 V3 standard. The certificate contain a series of fields that are mandatory and there are extensions that can be added as needed as well. In short it is a container for information that has been signed by a certification authority.

When you apply for a certificate to be issued to you, the certification authority will take the necessary steps to validate your identity and once it is convinced that you are WHO you PRETEND to be it will vouch for your identity by signing the certificate using the CA private key. The certificate will include a copy of the user PUBLIC key and a copy of the CA public key as well.

You make use of the CA PUBLIC key to validate the digital signature applied on the certificate. That would be one of the validation step to ensure the certificate has not been modified since it was issued by the CA.

People who wish to communicate securely with you will do so using your PUBLIC key to encrypt the data that has to be sent over insecure networks such as the Internet. Only the corresponding PRIVATE key will be able to decrypt whatever has been encrypted with the PUBLIC key.

The PRIVATE key is never ever shared with anyone. It has to be kept totally secret and protected at all times. This is where the smart card could come into play.

SMART CARDS

You can think of a smart card as a VERY secure container.

The card has a processor on board and a fair amount of storage. The card could contain one or more digital certificate.

The smart card is a two factor authentication mechanism. The card is the first (something you have) and the pin (something you know) to unlock the card is the second.

Smart Card offers protection for the content stored within the card. They are a good storage location for your PRIVATE Key. The PUBLIC key does not need to be protected, it can be put on your website, signature within emails, phone book, or anywhere you wish.

The public key of a user is usually kept within his digital certificate. People can download and use your digital certificate to validate who you are and then extract a copy of your PUBLIC key from the certificate to communicate securely with you.

The Certificate that you receive never ever contain the private key. However, you smart card would be a great place to secure your private key instead of leaving it on your workstation where it could be stolen and your passphrase captured using a keystroke recorder.

TRUST

We do need the CA or else the level of trust would be very low.

Anyone can generate key pairs as they wish, however only by asking the CA to validate the identity would you get some trust. The CA is the one vouching for the user identity.


Best regards

Clement
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    The PST Resources Warehouse Forum Index -> Security+ Questions about any of the domains/CBK. All times are GMT + 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB © 2001, 2005 phpBB Group

You can syndicate our news using the file backend.php or ultramode.txt


All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2003-2008 by Clement Dupuis and Nathalie Lambert (Site Maintainers).

 


 

 


Page Generation: 0.21 Seconds