Manualshelf

HP Printers - Certificate-based authentication for data security (whitepaper)

ManualsBrandsHP ManualsPrint & ScanCE525A
12345678
7
What do you do if you are not using the default self-signed certificate for ID? You go to whoever signed
your printers ID certificate and ask them for a CA certificate. After you have the CA certificate the rest of
the steps are identical.
Checking the identity of the device presenting the certificate
The second step in verifying a certificate is to verify that the right person or device is presenting it. This is a
bit more complicated. Most of the time, web sites that require identification provide a way to enter a user
name and password. A few very high security sites will go one step further: “mutual authentication”. It
involves the only part of a certificate that is absolutely top secret the “Private key”.
Encryption keys to create a digital certificate
The first step in creating a digital certificate is to make a pair of encryption keys. These are usually long
strings of bits (2048 bits each or longer). And, they are mathematically related to each other. What one
key encrypts, only the other key can decrypt. So, both keys are necessary for a two-way conversation.
This is called “Paired Key Infrastructure” or PKI for short.
One of the keys is called the “Private” key. It is hidden away in a safe place where nobody but you have
access. The other key is called the “Public” key and it is bundled together with the rest of the certificate to
get signed by the Certificate Authority (CA).
So, there are two parts: The Private key, which is hidden away and never shared with anybody. And,
there’s the signed certificate, which contains the Public key and is shared with everybody.
Identifying the real certificate owner
If you want to know if someone is the genuine owner of a certificate, take their certificate and use the
Public key to encrypt a message. Then wait to see if they can decrypt it. Remember, these keys come in
pairs. If I encrypt with one key, only the other key can decrypt. So, when sending a message encrypted
with the Public key, only the holder of the Private key will be able to decrypt it. And for this reason, it is
important to keep the Private key to yourself.
Protections against forgery
What if you take a certificate with its genuine CA signature and replace the original key pair with your own
key pair. Then you could use your own private key to decrypt anything that was encrypted with the public
key. But, certificates have a self-checking feature that makes it easy to detect any changes. This feature
renders the digital signature invalid. So, you really can’t impersonate someone else unless you can steal
their private key.
Is it possible to use the CA certificate to sign a new certificate which uses your key pair and your name?
Yes, it is. But, this would only work if you have the CAs private key. A valid signature cannot be generated
without the private key.