When asked to show your identity in the real world you may
produce your ration card, driving license, passport, or birth certificate. In
the virtual world, however, these documents are not significant. Netizens will
not trust your identity even if you show them your scanned certificates and
photographs, or even a JPEG file of your signature. What’ll convince them is a
digital certificate. A digital certificate, which contains your digital
signature, serves as your valid ID on the Internet.
It has another function. That of ensuring the content of your
e-mail is read only by the intended recipient and is not tampered with while in
transit. On an e-commerce site, for instance, they can help in a secure credit
card transaction. It does so by providing a medium for encrypted communication.
Identification
You send an e-mail to a client asking him about a critical
and confidential project report. How can your client be absolutely certain that
you are indeed the sender and not somebody posing as you? Your e-mail ID is not
sufficient to tell him that the mail is sent by you. SMTP (Simple Mail Transfer
Protocol) servers can be used to easily send anonymous e-mail or e-mail with
somebody else’s e-mail ID. In the absence of e-mail, your client would’ve
known your identity, as you would’ve sent him a personally signed letter. A
digital certificate in such a case serves to immediately establish your
identity.
Moreover, just as a stamped-paper document provides the proof
of the identity of a brick-and-mortar company, a digital certificate is the
proof of the identity of a Website. When you give your credit-card information
at a secure e-commerce site, it is encrypted and sent to the Web server hosting
the site. The Web server then decrypts this information to retrieve your
credit-card number. However, can you be sure about the sanctity of the site
itself? It has your credit-card information, which it can use for other reasons.
It is here that digital certificates provide proof of the identity of the site.
Encryption
Digital certificates are also useful when encrypted messages
are sent. A common encryption algorithm called the Public Key Infrastructure (PKI)
is used to encrypt mail, which employs two keys, a private key and a
corresponding public key. A message encrypted by a private key can only be
decrypted by the corresponding public key and vice-versa. The private key
remains with the sender (Web server or e-mail client), while the public key is
distributed to those with whom the sender wants to communicate through encrypted
mail. Public keys can be distributed directly via e-mail or through the Web.
Though a robust technique, it poses a problem. The recipient
has no way of knowing that the public key has been sent by the right sender.
This is where digital certificates come in. they are an authorized medium for
exchanging public keys as they certify your identity to the recipient.
Getting digital certificates
Why do you trust and believe a ration card, a driving
license, or a passport? Because trusted organizations that are affiliated to the
government issue them. Similarly, digital certificates are also issued by
trustworthy online organizations. Some of these include VeriSign, xcert.com,
pgp.com, and entrust.com. Certificate Authorities (CA) issue and maintain
digital certificates for companies and individuals. If you want to confirm
somebody’s identity, you can check with the certifying authority mentioned on
the person’s certificate. Web browsers and e-mail clients normally maintain a
list of known CAs and you can also add a new one if you want. (See article ‘Obtaining
Digital Certificates’, page 89, for more information.)
What does it contain?
A digital certificate contains information like the Website’s
domain or the sender’s e-mail ID, the name of the organization hosting the
server or the individual sending the e-mail, the name of the CA that issued this
certificate, and its expiry date. If PKI is used, then it usually has the public
key.
A digital certificate also contains what is called a digital
signature of the CA to authenticate the server itself. This is similar to the
real world where a person’s signature is verified to confirm his identity. The
CA’s digital signature consists of a message digest, which is constructed by
applying a one-way hashing algorithm to a randomly generated message. (It’s
called a one-way hash since there is no means of retrieving the original
message.) This hash is then encrypted using the server’s private key. The
client who downloads this digital certificate also receives the original
message, the CA’s public key, and the hashing algorithm used. The client then
uses the public key to decrypt the encrypted message digest and applies the
hashing algorithm to the original copy of the message. This way, the client gets
two copies of the message digest. If the two match the client can be sure that
the server or the sender has the correct private key corresponding to the public
key. If not, then either the digital signature is fake, meaning it does not
belong to the sender, or the server does not have the right private key.
Digital certificates are not limited to software and can also
be hard wired into hardware products, especially those related to security. It’s
being proposed that they also be used in cable modems so that there is no
unauthorized access to the data flowing in the cables.
Shekhar Govindarajan