IBM 10 SP1 EAL4 Server User Manual


 
5.12.1.1.2 Message digest
A message digest is text in the form of a single string of digits created with a one-way hash function. One-
way hash functions are algorithms that transform a message of arbitrary length into a fixed length tag called a
message digest.
A good hash function can detect even a small change in the original message to generate a different message
digest. The hash function is one-way; it is not possible to deduce the original message from its message
digest.
Message digests are used to provide assurance of message integrity. The sender generates a message digest
for each of the messages being sent. Each message is transmitted, along with its message digest. The
receiver separates the message digest from the message, generates a new message digest from the received
message using the same algorithm used by the sender, and compares the received message digest with the
newly generated one.
If the two message digests are different, then the message was altered on the way. If the two message digests
are identical, then the receiver can be assured that the message’s integrity was not compromised during
transmission.
5.12.1.1.3 Message Authentication Code (MAC)
A message authentication code (MAC) is a type of message digest that is created by encrypting the output of
a one-way hash function with a symmetric key.
5.12.1.1.4 Digital certificates and certificate authority
Cryptography with an asymmetric key depends on public keys being authentic. If two people are exchanging
their public keys over an untrusted network, then that process introduces a security vulnerability. Intruders
can intercept messages between them, replace their public keys with their own public keys, and monitor their
network traffic. The solution for this vulnerability is the digital certificate. A digital certificate is a file that
ties an identity to the associated public key.
This association of identity to a public key is validated by a trusted third party known as the certificate
authority. The certificate authority signs the digital certificate with its private key. In addition to a public key
and an identity, a digital certificate contains the date of issue and expiration date. OpenSSL supports the
international standard, ISO X.509, for digital certificates.
5.12.1.2 SSL architecture
SSL occupies a space between the transport and application layer in the network stack, and consists of two
layers. Both layers use services provided by the layer below them to provide functionality to the layers above
them. The lower layer consists of the SSL Record Protocol, which uses symmetric key encryption to provide
confidentiality to data communications over a reliable, connection-oriented, transport protocol TCP. The
upper layer of SSL consists of the SSL Handshake Protocol, the SSL Change Cipher Spec Protocol, and the
SSL Alert Protocol.
The SSL Handshake Protocol is used by the client and server to authenticate each other, and to agree on
encryption and hash algorithms to be used by the SSL Record Protocol. The authentication method supported
by SSL in the evaluated configuration is client and server authentication using X.509 certificates.
The SSL Change Cipher Spec changes the Cipher suite of encryption and hash algorithms used by the
connection. The SSL Alert Protocol reports SSL-related errors to communicating peers.
Figure 5-90 depicts different SSL protocols and their relative positions in the network stack.
185