Signatures and Digital Certificates
When we think of VPN, often the first thing that comes to mind is the encryption of user data. But adversaries or those trying to read the data could. However, an attacker could record a conversation and then play back the responses between the participants. What we need to do is be able to make sure that the source of the data is genuine, and that’s where digital signatures and certificates come in.
To build a digital signature, public key encryption systems must be implemented. Building the digital signature involves applying a hash function to the message by concatenating the message with a known secret key and then applying a mathematical function that will produce a fixed-length output known as a digest. The digest is then encrypted with the public decryption key which produces a signature that can be added to the message to verify that the message is from the genuine source.
The receiver recalculates the hash function and compares it to the signature after applying the public key. If the two match, then because only the author could have known the hash function and private key, the message must be genuine.
Message Digest algorithms use hash functions to assign many potential inputs to each of a large number of outputs. What is typically produced is a fixed-length field, typically a few hundred bits long. A secret key is shared between the sender and receiver, and by concatenating it with a message to be transferred, the digest is produced.
MD5 (Message Digest 5) is probably the most widely used hash function and produces a 128-bit digest that is often added to the header before the packet is transmitted. Any change to the message will cause the digest to change, and even the source and destination IP addresses can be used in conjunction with the message content when creating the digest, which validates the addresses.
Another popular hash algorithm is SHA (Secure Hash Algorithm) which produces a 160-bit digest that ensures higher security than MD5.
No matter how long the digest is, an identical digest will always result for an identical packet. But anyone wishing to attack the system could monitor the exchanges and determine which packets sent in any order would result in some known result. Therefore, this result could be reproduced by repeating the messages. This is known as a collision attack.
HMAC (Hash-based Message Authentication Code) can be used to combat collision attacks by including two computed values known as ipid and opid, which are initially computed using the secret key for the first packet and recalculated for subsequent packets. subsequent packets. Values are stored after each packet and retrieved for use in calculating the summary of the next packet. This ensures that the digest is always different even for identical packets.
A digital certificate is produced using some known information, such as name, address, mother’s maiden name, house number, national insurance number, or indeed anything. This information is added to the public key and then used as part of the hash function to create the digest which is then encrypted with the private key through a strong encryption system such as RSA or AES.
A digital certificate can be validated by passing it through the public encryption process with the public key for the user to produce the digest. This can be compared to calculating the digest from the declared identity of the user and their public key. If the two calculations give the same result, the certificate is valid. Digital certificates are attached to messages to verify the authenticity of the source of the message.