Advertisment

What Digital Certificates do

author-image
PCQ Bureau
New Update

When asked to show your identity in the real world you may

produce your ration card, driving license, passport, or birth certificate. In

the virtual world, however, these documents are not significant. Netizens will

not trust your identity even if you show them your scanned certificates and

photographs, or even a JPEG file of your signature. What’ll convince them is a

digital certificate. A digital certificate, which contains your digital

signature, serves as your valid ID on the Internet.

Advertisment

It has another function. That of ensuring the content of your

e-mail is read only by the intended recipient and is not tampered with while in

transit. On an e-commerce site, for instance, they can help in a secure credit

card transaction. It does so by providing a medium for encrypted communication.

Identification

You send an e-mail to a client asking him about a critical

and confidential project report. How can your client be absolutely certain that

you are indeed the sender and not somebody posing as you? Your e-mail ID is not

sufficient to tell him that the mail is sent by you. SMTP (Simple Mail Transfer

Protocol) servers can be used to easily send anonymous e-mail or e-mail with

somebody else’s e-mail ID. In the absence of e-mail, your client would’ve

known your identity, as you would’ve sent him a personally signed letter. A

digital certificate in such a case serves to immediately establish your

identity.

Advertisment

Moreover, just as a stamped-paper document provides the proof

of the identity of a brick-and-mortar company, a digital certificate is the

proof of the identity of a Website. When you give your credit-card information

at a secure e-commerce site, it is encrypted and sent to the Web server hosting

the site. The Web server then decrypts this information to retrieve your

credit-card number. However, can you be sure about the sanctity of the site

itself? It has your credit-card information, which it can use for other reasons.

It is here that digital certificates provide proof of the identity of the site.

Encryption

Digital certificates are also useful when encrypted messages

are sent. A common encryption algorithm called the Public Key Infrastructure (PKI)

is used to encrypt mail, which employs two keys, a private key and a

corresponding public key. A message encrypted by a private key can only be

decrypted by the corresponding public key and vice-versa. The private key

remains with the sender (Web server or e-mail client), while the public key is

distributed to those with whom the sender wants to communicate through encrypted

mail. Public keys can be distributed directly via e-mail or through the Web.

Advertisment

Though a robust technique, it poses a problem. The recipient

has no way of knowing that the public key has been sent by the right sender.

This is where digital certificates come in. they are an authorized medium for

exchanging public keys as they certify your identity to the recipient.

Getting digital certificates

Why do you trust and believe a ration card, a driving

license, or a passport? Because trusted organizations that are affiliated to the

government issue them. Similarly, digital certificates are also issued by

trustworthy online organizations. Some of these include VeriSign, xcert.com,

pgp.com, and entrust.com. Certificate Authorities (CA) issue and maintain

digital certificates for companies and individuals. If you want to confirm

somebody’s identity, you can check with the certifying authority mentioned on

the person’s certificate. Web browsers and e-mail clients normally maintain a

list of known CAs and you can also add a new one if you want. (See article ‘Obtaining

Digital Certificates’, page 89, for more information.)

Advertisment

What does it contain?

A digital certificate contains information like the Website’s

domain or the sender’s e-mail ID, the name of the organization hosting the

server or the individual sending the e-mail, the name of the CA that issued this

certificate, and its expiry date. If PKI is used, then it usually has the public

key.

A digital certificate also contains what is called a digital

signature of the CA to authenticate the server itself. This is similar to the

real world where a person’s signature is verified to confirm his identity. The

CA’s digital signature consists of a message digest, which is constructed by

applying a one-way hashing algorithm to a randomly generated message. (It’s

called a one-way hash since there is no means of retrieving the original

message.) This hash is then encrypted using the server’s private key. The

client who downloads this digital certificate also receives the original

message, the CA’s public key, and the hashing algorithm used. The client then

uses the public key to decrypt the encrypted message digest and applies the

hashing algorithm to the original copy of the message. This way, the client gets

two copies of the message digest. If the two match the client can be sure that

the server or the sender has the correct private key corresponding to the public

key. If not, then either the digital signature is fake, meaning it does not

belong to the sender, or the server does not have the right private key.

Digital certificates are not limited to software and can also

be hard wired into hardware products, especially those related to security. It’s

being proposed that they also be used in cable modems so that there is no

unauthorized access to the data flowing in the cables.

Shekhar Govindarajan

Advertisment