by March 31, 1999 0 comments

Security has never been Internet’s strong point. A
hacker with malicious intent and a bit of luck can intercept sensitive data sent over the
Net. He could then use this information to carry out forged Internet transactions. So, if
this use of e-commerce is to become widespread, a reliable method of identity verification
is required. That is why digital certificates are being more commonly used by various
authentication techniques.

A digital certificate is a software object that guarantees
the identity of the sender. It’s given by a third party called a Certificate
Authority (CA) to anyone who wants to engage in secure transactions over the Net. It
issues a certificate only after verifying the party’s identity. This is done by
various means including checking the validity of e-mail addresses or verifying credit
accounts. In some cases the CA even checks the certificate holder’s relationship to
his company or organization.

Who
needs a certificate?

Companies conducting business over the Net can use digital
certificates to engage in secure Internet transactions. Moreover, traditional business
activities like banking are now shifting to the Internet. To take advantage of these new
services, security and privacy over the Net is essential. Without a certificate you risk
being impersonated on-line.

For instance, if you need to withdraw Rs 10,000 from your
bank account over the Net, the bank will allow the transaction only if you have a
certificate. Likewise, servers running vital business activities also need certificates.
With a certificate, users are assured that the server is indeed being run by the
organization it claims to be affiliated to.

Uses of certificates

Certificates are used in a number of techniques and by
various applications. One of the techniques called the Public Key Infrastructure (PKI)
uses public/private key algorithms and digital certificates to verify the authenticity of
all parties involved in an Internet transaction.

A public/private key algorithm generates a unique set of
keys–a public and private key–for the user. The individual distributes his
public key to all those he sends messages to. His private key is secret and kept only with
him. The way the keys are generated, it’s not possible to decipher the private key
from the public one.

While engaging in a digital transaction, the sender
encrypts a message with his private key. The recipient uses the sender’s public key
to decrypt it. If the message decrypts properly, the recipient can be sure that the mail
has been sent by the sender, and not by any other party.

Authorities
for digital certificates
Certificate authority Website Services Charges
VeriSign www.verisign.com Digital certificates and enterprise PKI solutions Class 1 digital ID: $9.95 per year or free 60-day trial
edition
Thawte www.thawte.com Digital certification products, services, and solutions Free mail certificate Basic certificate: $20 per year
Premium certificate: $100 per year
IBM www.ibm.com/security
General security solutions As per the solution
Entrust technologies www.entrust.com General security solutions As per the solution

What happens if the recipient doesn’t have the
sender’s public key? If he does manage to get the key from somewhere, how does he
verify the sender’s identity? This is where the PKI mechanism comes into picture.

The PKI mechanism

To understand why public/private key algorithm alone is
insufficient for an online transaction, and how the PKI mechanism overcomes its
limitations, let’s take a simple example.

  • There’s a computer B that wishes to send some sensitive
    data to A.
  • B sends a request to A asking for A’s public key.
  • An impostor intercepts this request and sends a forged and
    encrypted reply back to B along with his own public key to decrypt it.
  • The imposter also asks for B’s public key.
  • B then sends the imposter his public key, thinking that
    he’s sending it to A.
  • B sends the sensitive data encrypted with his private key to
    the imposter.
  • The imposter decrypts the data with B’s public key.

Throughout this process, B has no way of knowing whom the
data is going to, thus posing a potential security risk to himself. Of course, this
example is imprecise, and the actual process of forgery would be more involved.

To prevent this kind of fraudulence, the PKI mechanism
involves sending a digital certificate as an attachment along with an online transaction.
This certificate, containing the owner’s name, his public key and some other
information, is encrypted using the CA’s private key. This can only be decrypted
using the CA’s public key. The CA frequently publishes its public key in various
periodicals as well as on the Net.To understand how this works, let’s see how the above
scenario changes when a certificate is used.

  • Computer B sends a request to A along with its certificate.
  • Now even if the imposter intercepts the message, he cannot
    impersonate A, as he cannot forge a certificate.
  • Therefore A receives the request, and decrypts it with the
    CA’s public key.
  • A knows that the message is from B, and not any imposter.
  • A replies back to B with his own certificate.
  • B receives the answer from A, and verifies the identity
    through the attached certificate.
  • The online transaction can thus take place safely.

Certificate authorities

What happens if you don’t trust the certificate
authority? In that case you check the certificate on its certificate, which is issued by
another organization. This way a hierarchy of trust is set up, with the CA depending on
other organizations and these organizations in turn depending on their governments for
authentication. However, most of this trust hierarchy is still not in place. Currently a
certificate issued by a CA is considered trustworthy and no further verification takes
place.

There are several CAs (see the box) whom you can contact to
obtain digital certificates. Some of them even assist in setting up a complete
company-wide public key infrastructure.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<