Friday, May 3, 2013
DIGITAL CERTIFICATES
Conclusion
Introduction to digital certificates:
A digital certificate is equivalent to an electronic ID card. It
serves two purposes:
Certificates provide a way of authenticating
users, referred to as authentication by trusted third parties. Instead of
requiring each participant in an application to authenticate every user,
third-party authentication relies on the use of certificates, electronic ID
cards.
Certificates are issued by trusted parties, called certificate authorities (CAs). These authorities can be commercial ventures or they can be local entities, depending on the requirements of your application. Regardless, the CA is trusted to adequately authenticate users before issuing certificates to them. Also, when a CA issues certificates, it digitally signs them. When a user presents a certificate, the recipient of the certificate validates it by using the digital signature. If the digital signature validates the certificate, the certificate is known to be intact and authentic. Participants in an application need only to validate certificates; they do not need to authenticate users themselves. The fact that a user can present a valid certificate proves that the CA has authenticated the user. The descriptor trusted third-party indicates that the system relies on the trustworthiness of the CAs.
What are
digital certificates?
Digital certificates are primarily used to authenticate communication
over the Internet. There are three categories of digital certificates. Web
Server Certificates, Developer Certificates and Personal Certificates:
1. Web Server Certificates: These are the electronic equivalent of a business
license. It assures potential customers that the site they are visiting is a
legitimate business.
2. Developer Certificates: These certificates enable developers to sign
software and macros and deliver them safely to customers over the Internet.
The customer can be confident that the software or macros are legitimate.
3. Personal Certificates: These certificates secures e-mail conversations
and access to corporate web servers.
For simplicity purposes, this paper will focus primarily on Personal
Digital Certificates, which are used primarily to authenticate e-mail
communication.
Personal certificates are like a driver’s license or a passport. They
are both provided to you by a trusted source. When you show this as proof of
identity to someone else, it gives them confidence they are dealing with the
real you. For a company, certificates are similar to a business license in
that they validate a business is legitimate.
If Sue sees a signed icon in an e-mail message she receives
from Joe, she can be assured that the e-mail is actually from Joe.
Personal digital certificates provide assurance that the person or entity
sending the e-mail is who they say they are.
Digital certificates allow one to have confidence that the person or
company with whom they are communicating is indeed who they claim to be. When
used in combination with encryption (this ability comes with the
certificate), certificates provide additional assurance that only the
intended party can access the data and that the data will not be compromised
en route. Digital certificates allow applications like e-mail, online
trading, and credit card purchasing to be conducted in a secure environment.
The most secure use of authentication involves enclosing one or more
certificates with every signed message. The receiver of the message verifies
the certificate using the certifying authority's public key and, now
confident of the public key of the sender, verifies the message's signature.
There may be two or more certificates enclosed with the message, forming a
hierarchical certificate chain, wherein one certificate testifies to the
authenticity of the previous certificate.
At the end of a certificate hierarchy is a top-level certifying
authority, which is trusted without a certificate from any other certifying
authority. The public key of the top-level certifying authority must be
independently known, for example, by being widely published.
Definitions:
As I was researching this paper, I was amazed at how difficult these
companies make it for a non-technical person to understand what a digital
certificate is and why they are necessary.
Take a look at the four definitions below. The first two are from
providers’ web sites and require a basic understanding of encryption and
private and public keys. The second two are from informational websites that
are designed to help people understand the terms used in e-commerce. Notice
the lack of jargon and the use of familiar terms in the second two
definitions.
Provider
Definitions:
RSA Security defines digital certificates as "digital documents
attesting to the binding of a public key to an individual or other entity.
They allow verification of the claim that a specific public key does in fact
belong to a specific individual. "
Equifax defines them as "electronic credentials that allow secure
communications between two parties. Digital certificates help identify and
encrypt electronic messages over networks like the Internet, company
intranets or extranets. A digital certificate attaches the holder’s identity
to a unique pair of software keys: a
Informational
Website Definitions:
Internet.com defines digital certificates as the electronic
counterparts to drivers' licenses, passports, or membership cards. They are
computer files a person attaches to anything they may send over the Internet.
They contain information like the certificate owner's name, the name of the
certificate authority (CA) that issued it and a public encryption key. Each
party in a SET transaction requires a digital certificate that identifies him
as the legitimate user of a bank card or credit card or merchant account.
Webopedia.com defines them as "an attachment to an electronic
message used for security purposes. The most common use of a digital
certificate is to verify that a user sending a message is who he or she
claims to be, and to provide the receiver with the means to encode a
reply."
X.509
As one might expect, digital certificates are not all the same. And,
therefore, even if you have a digital certificate, the person you are
communicating with may not know it because the software they are using
doesn’t recognize it.
In an attempt to overcome this issue, the International
Telecommunications Union (ITU) developed the X.509 standard – which defines
what information must be contained in a digital certificate.
Here’s the catch, the X.509 standard is not really as standard at all.
Instead, X.509 is a recommendation. This means that it has not yet been
officially defined or approved and as a result, companies have implemented
the "standard" in different ways.
For example, "both Netscape and Microsoft use X.509 certificates
to implement SSL in their Web servers and browsers. But an X.509 Certificate
generated by Netscape may not be readable by Microsoft products, and vice
versa.
Requesting
certificates
To get a
certificate, you must send a certificate request to the CA. The certificate
request includes the following:
The message-digest function is run over all these fields.
The CA
verifies the signature with the public key in the request to ensure that the
request is intact and authentic. The CA then authenticates the owner. Exactly
what the authentication consists of depends on a prior agreement between the
CA and the requesting organization. If the owner in the request is
successfully authenticated, the CA issues a certificate for that owner.
Contents of
a digital certificate :
A certificate
contains several pieces of information, including information about the owner
of the certificate and the issuing CA. Specifically, a certificate includes:
The information in a certificate allows an application to decide if it
should honor the certificate. With the expiration date, the application can
determine if the certificate is still valid. With the name of the issuing CA,
the application can check that the CA is considered trustworthy by the site.
Using
certificates:
Chains of
trust and self-signed certificates
To verify the digital signature on a certificate,
you must have the public key of the issuing CA. Since public keys are
distributed in certificates, you must have a certificate for the
issuing CA. That certificate will be signed by
the issuer. One CA can certify other CAs, so there can be a chain of CAs
issuing certificates for other CAs, all of whose public keys you need.
Eventually, though, you reach a starting point. The starting point is a root CA
that issues itself a self-signed certificate. In order to validate
a user's certificate, you need certificates for all intervening participants,
back to the root CA. Then you have the public keys you need to validate each
certificate, including the user's. These keys and certificates are stored in keyring.
.
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
How do you use Digital Certificates?
Personal certificates are primarily used for
e-mail. Once a person has purchased a digital certificate from one of the many
sources (listed later in this paper), they can begin signing outgoing messages.
When sending e-mail using Netscape Messenger, select the Message Sending
Options tab in the message window and enable the signed checkbox.
To have the system automatically sign all outgoing
messages, open the Netscape Communicator Security Advisor by choosing Security
Info from the Communicator menu. Click on the Messenger link
to display the Messenger Security Settings and enable the Sign mail
messages, when it is possible checkbox. To automatically sign outgoing
discussion (news) messages enable the Sign discussion (news) messages, when
it is possible checkbox.
The recipient will see a signed icon that
indicates the message has been signed – that is, the recipient will see a
signed icon if he or she is also using Netscape (we’ll get into this issue
later in the paper as well).
How DCs
protect the data
Encryption & Digital Certificates are the
solution for Internet Commerce. Used together, they protect your data as it
travels over the Internet.
Encryption is the process of using a mathematical
algorithm to transform information into a format that can't be read (this
format is called cipher text). Decryption is the process of using
another algorithm to transform encrypted information back into a readable
format (this format is called plain text).
Digital Certificates are your digital passport, an
Internet ID. They are verification of you who you are and the integrity of your
data.
Combined, encryption and digital certificates
protect and secure your data in the following four ways:.
- Authentication: This is
digital verification of who you are, much in the same way your driver's
license proves your identity. It is very easy to send spoofed email. I can
email anyone in the world pretending I am the President of the United
States. Using standard email, there is no way to verify who the sender is,
i.e. if it is actually the President. With digital signatures and
certificates, you digitally encode verifiable proof of your identity into
the email.
- Integrity: This is the verification
that the data you sent has not been altered. When email or other data
travels across the Internet, it routes through various gateways (way
stations). It is possible for people to capture, alter, then resend the
message. Example, your boss emails the company president stating that you
should be fired. It is possible for you to intercept that email and change
it saying you deserve a $10,000 raise. With digital certificates, your
email cannot be altered without the recipient knowing.
- Encryption: This ensures that your data
was unable to be read or utilized by any party while in transit. Your
message is encrypted into incomprehensible gibberish before it leaves your
computer. It maintains it encrypted (gibberish) state during it's travel
through the Internet. It is not de-crypt until the recipient receives it.
Because of the public-key cryptography used (discussed later) only the
recipient can decipher the received message, no one else can.
- Token verification: Digital
tokens replace your password which can be easily guessed. Tokens offer a
more secure way of access to sensitive data. The most common way to secure
data or a web site is with passwords. Before anyone access the data, they
are prompted with their user login id and password. However, this is
easily cracked using various security software (such as Crack 5.0, etc.).
Also, passwords can be found with other means, such as social engineering.
Passwords are not secure. Token verification is more secure. Your digital
certificate is an encrypted file that sits on your hardrive. When you need
access to a system, that systems asks you for your digital certificate instead
of a password. Your computer would then send the certificate, in encrypted
format, through the Internet, authorizing you for access. For this to be
compromised, someone would have to copy this file from your computer, AND
know your password to de-crypt the file.
Digital
Certificate Providers
CertCo: www.certco.com/
Digital Signature Trust:
www.digsigtrust.com
Encommerce: www.encommerce.com/
Entegrity: www.entegrity.com/
Entrust: www.entrust.com/
Equifax http://www.equifax.com/
GTE CyberTrust:
www.cybertrust.gte.com/cybertrust/index.html
Litronic: www.litronic.com/
RSA Security:
www.rsasecurity.com/
Setco: www.setco.org/
Thawte: www.thawte.com/
Valicert: www.valicert.com/
Verisign: digitalid.verisign.com/client/class1MS.htm
Xcert: www.xcert.com/
Pricing
Prices range widely for digital certificates. The
following is a comparison of Thawte and Verisign prices.
|
Service
|
Thawte
|
Verisign
|
|
|
|
|
|
Server Certificates
|
|
|
|
Initial Server Certificate
|
$125
|
$349
|
|
Server Certificate Renewal
|
$100
|
$249
|
|
|
|
|
|
Personal Certificates
|
|
|
|
Class 1
|
Free
|
$14.95
|
|
Class 2
|
$20
|
$14.95
|
|
|
|
|
|
Developer Certificates
|
|
|
|
Initial Certificate
|
$200
|
$400
|
|
Renewal
|
$100
|
$400
|
Conclusion
Digital Certificates provide a way to authenticate
communication on the Internet. They come in three flavors: personal, web
server, and developer certificates. Personal certificates are primarily used
for e-mail.
Universal
acceptance and widespread use will depend on the industry’s ability to communicate
in understandable terms and the development of a true standard
|
|
Four factors emerge from the ten survey responses
as possible reasons for the lagging acceptance of certificates by technical
documentation departments:
- cost
- compatibility
- perceived
need
- familiarity
First, the capital outlay is significant and needs
to be justified. It easily costs over $10,000 to deploy an adequately
configured digital certificate system. In addition, there are staff training
and ongoing system maintenance costs that, in most cases, exceed the capital
investment.
Second, while there are standards for digital
certificate formatting and content, not all applications recognize the same
endorsing entities. This application incompatibility often results in false warnings
that a digital certificate may not be valid even though it is valid, and defeat
the fundamental purpose of the system.
Third, it is difficult to isolate a case of
document theft or compromise that would only be mitigated by certificates and
not by other security measures such as stronger password protection. Thus,
there is no clear need perceived by technical documentation professionals to
use digital certificates.
Finally, as stated at the beginning, encryption is
a mystery to many of us. Put all these factors together and the response rate
is not surprising. A larger survey reaching more industries and writers is
needed for conclusive results. That said, the digital certificate remains the
most promising solution for ubiquitous electronic authentication and the
leading applications are delivering the ability to use it today. So, although
it is new to many of us, if popular novelist Stephen King is making it work,
chances are you will have a certificate of your own tucked securely away in
your PC in the coming years.
The knowledge about different
revocation methods is not very widely spread. Efficient and practicable methods
are still needed and a topic of today's research. A main requirement for new
developments and new ideas is that they can easily be integrated in
widespreadly used X.509 certificates.
This comment has been removed by the author.
ReplyDeleteThis article covers almost everything about digital certificates. I find it the most relevant and excellent guide which all the readers will also find helpful.
ReplyDeletedigital certificate