Security has never been Internet’s strong point. A
hacker with malicious intent and a bit of luck can intercept sensitive data sent over the
Net. He could then use this information to carry out forged Internet transactions. So, if
this use of e-commerce is to become widespread, a reliable method of identity verification
is required. That is why digital certificates are being more commonly used by various
authentication techniques.
A digital certificate is a software object that guarantees
the identity of the sender. It’s given by a third party called a Certificate
Authority (CA) to anyone who wants to engage in secure transactions over the Net. It
issues a certificate only after verifying the party’s identity. This is done by
various means including checking the validity of e-mail addresses or verifying credit
accounts. In some cases the CA even checks the certificate holder’s relationship to
his company or organization.
align="right" hspace="5" vspace="5">Who
needs a certificate?
Companies conducting business over the Net can use digital
certificates to engage in secure Internet transactions. Moreover, traditional business
activities like banking are now shifting to the Internet. To take advantage of these new
services, security and privacy over the Net is essential. Without a certificate you risk
being impersonated on-line.
For instance, if you need to withdraw Rs 10,000 from your
bank account over the Net, the bank will allow the transaction only if you have a
certificate. Likewise, servers running vital business activities also need certificates.
With a certificate, users are assured that the server is indeed being run by the
organization it claims to be affiliated to.
Uses of certificates
Certificates are used in a number of techniques and by
various applications. One of the techniques called the Public Key Infrastructure (PKI)
uses public/private key algorithms and digital certificates to verify the authenticity of
all parties involved in an Internet transaction.
A public/private key algorithm generates a unique set of
keys–a public and private key–for the user. The individual distributes his
public key to all those he sends messages to. His private key is secret and kept only with
him. The way the keys are generated, it’s not possible to decipher the private key
from the public one.
While engaging in a digital transaction, the sender
encrypts a message with his private key. The recipient uses the sender’s public key
to decrypt it. If the message decrypts properly, the recipient can be sure that the mail
has been sent by the sender, and not by any other party.
for digital certificates
edition
Premium certificate: $100 per year
What happens if the recipient doesn’t have the
sender’s public key? If he does manage to get the key from somewhere, how does he
verify the sender’s identity? This is where the PKI mechanism comes into picture.
The PKI mechanism
To understand why public/private key algorithm alone is
insufficient for an online transaction, and how the PKI mechanism overcomes its
limitations, let’s take a simple example.
data to A.
encrypted reply back to B along with his own public key to decrypt it.
he’s sending it to A.
the imposter.
Throughout this process, B has no way of knowing whom the
data is going to, thus posing a potential security risk to himself. Of course, this
example is imprecise, and the actual process of forgery would be more involved.
To prevent this kind of fraudulence, the PKI mechanism
involves sending a digital certificate as an attachment along with an online transaction.
This certificate, containing the owner’s name, his public key and some other
information, is encrypted using the CA’s private key. This can only be decrypted
using the CA’s public key. The CA frequently publishes its public key in various
periodicals as well as on the Net.
scenario changes when a certificate is used.
impersonate A, as he cannot forge a certificate.
CA’s public key.
through the attached certificate.
Certificate authorities
What happens if you don’t trust the certificate
authority? In that case you check the certificate on its certificate, which is issued by
another organization. This way a hierarchy of trust is set up, with the CA depending on
other organizations and these organizations in turn depending on their governments for
authentication. However, most of this trust hierarchy is still not in place. Currently a
certificate issued by a CA is considered trustworthy and no further verification takes
place.
There are several CAs (see the box) whom you can contact to
obtain digital certificates. Some of them even assist in setting up a complete
company-wide public key infrastructure.