A Public Key Infrastructure (PKI) is a system that helps facilitate secure communications through the use of digital certificates. Reflection supports the use of a PKI for host and user authentication during Secure Shell and SSL/TLS sessions.
Authentication is the process of reliably determining the identity of a communicating party. Identity can be proven by something you know (such as a password), something you have (such as a private key or token), or something intrinsic about you (such as a fingerprint). In a typical Telnet session to a remote host, the user authenticates with a password, but the host is not authenticated. More secure protocols, including Secure Shell and SSL/TLS, require host authentication. In both Secure Shell and SSL/TLS sessions, host authentication is accomplished using public key cryptography. In addition, both session types can also be configured to use public key cryptography for user authentication.
Public Key Cryptography
Public key cryptography uses a mathematical algorithm with a public/private key pair to encrypt and decrypt data. One of the keys is a public key, which can be freely distributed to communicating parties, and the other is a private key, which should be kept secure by the owner of the key. Data encrypted with the private key can be decrypted only with the public key; and data encrypted with the public key can be decrypted only with the private key.
When keys are used for authentication, the party being authenticated creates a digital signature using the private key of a public/private key pair. The recipient must use the corresponding public key to verify the authenticity of the digital signature. This means that the recipient must have a copy of the other party's public key and trust in the authenticity of that key.
Digital certificates are an integral part of a PKI (Public Key Infrastructure). Certificates are issued by a certification authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.
Digital certificate stores
Digital certificates are maintained on your computer in certificate stores. A certificate store contains the certificates you use to confirm the identity of remote parties, and may also contain personal certificates, which you use to identify yourself to remote parties. Personal certificates are associated with a private key on your computer.
Reflection can be configured to use digital certificates located in either or both of the following stores:
Reflection applications can be configured to authenticate using only those certificates located in Reflection store, or using both the Windows and the Reflection store. Enabling host authentication using the Windows certificate store means that you may not need to import certificates, because authentication may be accomplished using certificates that are already available. Disabling authentication using the Windows certificate store enables you to have greater control over which certificates are used for authentication. For more information, see Enabling or Disabling authentication using the Windows certificate store.
PKI in Reflection sessions
Reflection sessions support PKI authentication for both Secure Shell and SSL/TLS sessions.