When we think of VPN, the first thing we often think of is the encryption of user data. But adversaries or those trying to read the data could. However, an attacker could record a conversation and then play back the responses between the participants. What we need to do is be able to make sure that the source of the data is genuine, and that’s where digital certificates and signatures come in.
To build a digital signature, public key encryption systems must be implemented. Constructing the digital signature involves hashing the message by concatenating the message with a known secret key and then applying a mathematical function that will produce a fixed-length output known as a hash. The digest is then encrypted with the public decryption key which produces a signature that can be added to the message to verify that the message is from the genuine source.
The receiver recalculates the hash function and compares it with the signature after applying the public key. If the two match, then because only the author could have known the hash function and private key, the message must be genuine.
Message Digest algorithms use hash functions to map many potential inputs to each of a large number of outputs. What is typically produced is a fixed-length field, typically a few hundred bits long. A secret key is shared between the sender and receiver, and concatenating it with a message to transfer produces the digest.
MD5 (Message Digest 5) is probably the most widely used hash function and produces a 128-bit digest that is often added to the header before the packet is transmitted. Any change to the message will cause the digest to change, and even the source and destination IP addresses can be used along with the message content when creating the digest, which validates the addresses.
Another popular hash algorithm is SHA (Secure Hash Algorithm) which produces a 160-bit digest that guarantees higher security than MD5.
No matter how long the digest is, an identical digest will always result for an identical packet. But anyone wishing to attack the system could monitor the exchanges and determine which packets sent in any order would result in some known result. Therefore, this result could be reproduced by repeating the messages. This is known as a collision attack.
HMAC (Hash-Based Message Authentication Code) can be used to combat collision attacks by including two computed values known as ipid and opid, which are initially computed using the secret key for the first packet and recalculated for subsequent packets. later packages. The values are stored after each packet and retrieved for use in the next packet summary calculation. This ensures that the summary is always different even for identical packages.
A digital certificate is produced using some known information such as name, address, mother’s maiden name, house number, national insurance number, or indeed anything. This information is added to the public key and is then used as part of the hash function to create the hash which is then encrypted with the private key using a strong encryption system such as RSA or AES.
A digital certificate can be validated by passing it through the public encryption process with the public key for the user to produce the digest. This can be compared to computing the hash from the user’s claimed identity and their public key. If the two calculations give the same result, the certificate is valid. Digital certificates are attached to messages to verify the authenticity of the source of the message.
