Advertisment
Archive

Digital Certificates

author-image
PCQ Bureau
New Update

Security has never been Internet’s strong point. A

hacker with malicious intent and a bit of luck can intercept sensitive data sent over the

Net. He could then use this information to carry out forged Internet transactions. So, if

this use of e-commerce is to become widespread, a reliable method of identity verification

is required. That is why digital certificates are being more commonly used by various

authentication techniques.

Advertisment

A digital certificate is a software object that guarantees

the identity of the sender. It’s given by a third party called a Certificate

Authority (CA) to anyone who wants to engage in secure transactions over the Net. It

issues a certificate only after verifying the party’s identity. This is done by

various means including checking the validity of e-mail addresses or verifying credit

accounts. In some cases the CA even checks the certificate holder’s relationship to

his company or organization.

pubkey.jpg (18943 bytes) align="right" hspace="5" vspace="5">Who

needs a certificate?

Companies conducting business over the Net can use digital

certificates to engage in secure Internet transactions. Moreover, traditional business

activities like banking are now shifting to the Internet. To take advantage of these new

services, security and privacy over the Net is essential. Without a certificate you risk

being impersonated on-line.

Advertisment

For instance, if you need to withdraw Rs 10,000 from your

bank account over the Net, the bank will allow the transaction only if you have a

certificate. Likewise, servers running vital business activities also need certificates.

With a certificate, users are assured that the server is indeed being run by the

organization it claims to be affiliated to.

Uses of certificates

Certificates are used in a number of techniques and by

various applications. One of the techniques called the Public Key Infrastructure (PKI)

uses public/private key algorithms and digital certificates to verify the authenticity of

all parties involved in an Internet transaction.

Advertisment

A public/private key algorithm generates a unique set of

keys–a public and private key–for the user. The individual distributes his

public key to all those he sends messages to. His private key is secret and kept only with

him. The way the keys are generated, it’s not possible to decipher the private key

from the public one.

While engaging in a digital transaction, the sender

encrypts a message with his private key. The recipient uses the sender’s public key

to decrypt it. If the message decrypts properly, the recipient can be sure that the mail

has been sent by the sender, and not by any other party.

Authorities

for digital certificates
Advertisment
Certificate authority Website Services Charges VeriSign www.verisign.com Digital certificates and enterprise PKI solutions Class 1 digital ID: $9.95 per year or free 60-day trial

edition Thawte www.thawte.com Digital certification products, services, and solutions Free mail certificate Basic certificate: $20 per year

Premium certificate: $100 per year
Advertisment
IBM www.ibm.com/security

 General security solutions As per the solution Entrust technologies www.entrust.com General security solutions As per the solution

What happens if the recipient doesn’t have the

sender’s public key? If he does manage to get the key from somewhere, how does he

verify the sender’s identity? This is where the PKI mechanism comes into picture.

Advertisment

The PKI mechanism

To understand why public/private key algorithm alone is

insufficient for an online transaction, and how the PKI mechanism overcomes its

limitations, let’s take a simple example.

  • There’s a computer B that wishes to send some sensitive

    data to A.
    • Advertisment
  • B sends a request to A asking for A’s public key.
  • An impostor intercepts this request and sends a forged and

    encrypted reply back to B along with his own public key to decrypt it.
  • The imposter also asks for B’s public key.
  • B then sends the imposter his public key, thinking that

    he’s sending it to A.
  • B sends the sensitive data encrypted with his private key to

    the imposter.
  • The imposter decrypts the data with B’s public key.

    • Throughout this process, B has no way of knowing whom the

    data is going to, thus posing a potential security risk to himself. Of course, this

    example is imprecise, and the actual process of forgery would be more involved.

    To prevent this kind of fraudulence, the PKI mechanism

    involves sending a digital certificate as an attachment along with an online transaction.

    This certificate, containing the owner’s name, his public key and some other

    information, is encrypted using the CA’s private key. This can only be decrypted

    using the CA’s public key. The CA frequently publishes its public key in various

    periodicals as well as on the Net.To understand how this works, let’s see how the above

    scenario changes when a certificate is used.

    • Computer B sends a request to A along with its certificate.
    • Now even if the imposter intercepts the message, he cannot

      impersonate A, as he cannot forge a certificate.
    • Therefore A receives the request, and decrypts it with the

      CA’s public key.
    • A knows that the message is from B, and not any imposter.
    • A replies back to B with his own certificate.
    • B receives the answer from A, and verifies the identity

      through the attached certificate.
    • The online transaction can thus take place safely.

      • Certificate authorities

      What happens if you don’t trust the certificate

      authority? In that case you check the certificate on its certificate, which is issued by

      another organization. This way a hierarchy of trust is set up, with the CA depending on

      other organizations and these organizations in turn depending on their governments for

      authentication. However, most of this trust hierarchy is still not in place. Currently a

      certificate issued by a CA is considered trustworthy and no further verification takes

      place.

      There are several CAs (see the box) whom you can contact to

      obtain digital certificates. Some of them even assist in setting up a complete

      company-wide public key infrastructure.

      Advertisment