This guide is a brief introduction to Digital Certificate and Public-Private Keys PKI technologies.
Digital Certificates are a means by which consumers and businesses can utilise the security applications of Public Key Infrastructure (PKI). PKI comprises of the technology to enables secure e-commerce and Internet-based communication.
Why is security needed on the Internet?
The number of people and businesses online is continuing to increase. As access becomes faster and cheaper such people will spend even more time connected to the Internet for personal communication and business transactions.
The Internet is an open communications network that was not originally designed with security in mind. Criminals have found they can exploit its vulnerabilities for fraudulent gain. If the Internet is to succeed as a business and communications tool users must be able to communicate securely.
What does security provide?
Identification / Authentication:
The persons/entities with whom we are communicating are really who they say they are.
The information within the message or transaction is kept confidential. It may only be read and understood by the intended sender and receiver.
The information within the message or transaction is not tampered with accidentally or deliberately with en route without all parties involved being aware of the tampering.
The sender cannot deny sending the message or transaction, and the receiver cannot deny receiving it.
Access to the protected information is only realized by the intended person or entity.
All the above security properties can be achieved and implemented through the use of Public Key Infrastructure (in particular Digital Certificates).
Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies that collectively provide a framework for addressing the previously illustrated fundamentals of security – authentication, confidentiality, integrity, non-repudiation and access control.
PKI enables people and businesses to utilise a number of secure Internet applications. For example, secure and legally binding emails and Internet-based transactions, and services delivery can all be achieved through the use of PKI.
PKI utilises two core elements; Public Key Cryptography and Certification Authorities.
Encryption and Decryption
The benefits of PKI are delivered through the use of Public Key Cryptography. A core aspect of Public Key Cryptography is the encryption and decryption of digital data.
Encryption is the conversion of data into seemingly random, incomprehensible data. Its meaningless form ensures that it remains unintelligible to everyone for whom it is not intended, even if the intended have access to the encrypted data.
The only way to transform the data back into intelligible form is to reverse the encryption (known as decryption). Public Key Cryptography encryption and decryption is performed with Public and Private Keys.
The Public and Private key pair comprise of two uniquely related cryptographic keys (basically long random numbers). Below is an example of a Public Key:
3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31 C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673 CA2B 4003 C266 E2CD CB02 0301 0001
The Public Key is what its name suggests – Public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.
Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa.
For example, if A wants to send sensitive data to B, and wants to be sure that only B may be able to read it, he will encrypt the data with B’s Public Key. Only B has access to their corresponding Private Key and as a result is the only person with the capability of decrypting the encrypted data back into its original form.
As only B has access to their Private Key, it is possible that only B can decrypt the encrypted data. Even if someone else gains access to the encrypted data, it will remain confidential as they should not have access to B’s Private Key.
Public-Private Keys Cryptography can, therefore, achieve Confidentiality. However, another important aspect of Public Private Keys Cryptography is its ability to create a Digital Signature.
Digital Signatures apply the same functionality to an e-mail message or data file that a handwritten signature does for a paper-based document. The Digital Signature vouches for the origin and integrity of a message, document or other data file.
How do we create a Digital Signature?
The creation of a Digital Signature is a complex mathematical process. However, as the complexities of the process are computed by the computer, applying a Digital Signature is no more difficult than creating a handwritten one!
The following process illustrates in general terms the processes behind the generation of a Digital Signature:
1. B clicks ‘sign’ in their email application or selects which file is to be signed.
2. B’s computer calculates the ‘hash’ (the message is applied to a publicly known mathematical hashing function that converts the message into a long number referred to as the hash).
3. The hash is encrypted with B’s Private Key (in this case it is known as the Signing Key) to create the Digital Signature.
4. The original message and its Digital Signature are transmitted to A.
5. A receives the signed message. It is identified as being signed, so his email application knows which actions need to be performed to verify it.
6. A’s computer decrypts the Digital Signature using B’s Public Key.
7. A’s computer also calculates the hash of the original message (remember – the mathematical function used by B to do this is publicly known).
8. A’s computer compares the hashes it has computed from the received message with the now decrypted hash received with B’s message.
If the message has remained integral during its transit (i.e. it has not been tampered with), when compared the two hashes will be identical.
However, if the two hashes differ when compared then the integrity of the original message has been compromised. If the original message is tampered with it will result in A’s computer calculating a different hash value. If a different hash value is created, then the original message will have been altered. As a result, the verification of the Digital Signature will fail and Bob will be informed.
Origin, Integrity and Non-Repudiation:
Hacker H, who wants to impersonate B, cannot generate the same signature as B because they do not have B’s Private Key (needed to sign the message digest). If instead, H decides to alter the content of the message while in transit, the tampered message will create a different message digest to the original message, and A’s computer will be able to detect that. Additionally, B cannot deny sending the message as it has been signed using their Private Key, thus ensuring non-repudiation.
Due to the recent Global adoption of Digital Signature law, B may now sign a transaction, message or piece of digital data, and so long as it is verified successfully it is a legally permissible means of proof that Alice has made the transaction or written the message.
Previously we referred to Public Keys being available to everyone, the next question is how do we go about making them available to everyone in a safe, secure and scalable way? Generally speaking, we use small data files known as Digital Certificate.
A Digital Certificate is a digital file used to cryptographically bind an entity’s Public Key to specific attributes relating to its identity. The entity may be a person, organisation, web entity or software application. Like a driving license or passport binds a photograph to personal information about its holder, a Digital Certificate binds a Public Key to information about its owner.
In other words, B’s Digital Certificate attests to the fact that their Public Key belongs to them, and only them. As well as the Public Key, a Digital Certificate also contains personal or corporate information used to identify the Certificate holder, and as Certificates are finite, a Certificate expiry date.
Digital Certificates and Certification Authorities
Digital Certificates are issued by Certification Authorities (CA). Like a central trusted body is used to issue driving licenses or passports, a CA fulfils the role of the Trusted Third Party by accepting Certificate applications from entities, authenticating applications, issuing Certificates and maintaining status information about the Certificates issued.
The incorporation of a CA into PKI ensures that people cannot masquerade on the Internet as people they are not by issuing their own fake Digital Certificates for illegitimate use.
The Trusted Third Party CAs will verify the identity of the Certificate applicant before attesting to their identity by Digitally Signing the applicant’s Certificate. Because the Digital Certificate itself is now a signed data file, its authenticity can be ascertained by verifying its Digital Signature. Therefore, in the same way, we verify the Digital Signature of a signed message, we can verify the authenticity of a Digital Certificate by verifying its signature.
Because CAs are trusted, their own Public Keys used to verify the signatures of issued Digital Certificates are publicised through many mediums widely.
The CA provides a Certification Practice Statement (CPS) that clearly states its policies and practices regarding the issuance and maintenance of Certificates within the PKI. The CPS contains operational information and legal information on the roles and responsibilities of all entities involved in the Certificate lifecycle (from the day it is issued to the day it expires).
Digital Certificates are issued under the technical recommendations of the x.509 Digital Certificate format as published by the International Telecommunication Union-Telecommunications Standardization Sector (ITU-T).
Users may enrol for a Digital Certificate via the Web. Upon completion of the necessary forms, the user’s Internet Browser will create a Public Key Pair. The Public half of the key pair is then sent to the CA along with all other data to appear in the Digital Certificate, while the Private Key is secured on the user’s chosen storage medium (hard disk, floppy or hardware token, etc).
The CA must verify the submitted data before binding the identification data to the submitted Public Key. This prevents an impostor obtaining a Certificate that binds his Public Key to someone else’s identity and conducting fraudulent transactions using that identity.
If submitted data is in good order the CA will issue a Digital Certificate to the applicant stated within the submitted information. Upon issuance, the CA will enter the Digital Certificate into a public repository.
Distributing Digital Certificates
As well as Digital Certificates being available in public repositories, they may also be distributed through the use of Digital Signatures. For example, when B Digitally signs a message for A they also attach their Certificate to the outgoing message. Therefore, upon receiving the signed message A can verify the validity of B’s Certificate. If it is successfully verified, A now has B’s Public Key and can verify the validity of the original message signed by B.
Different types of Digital Certificate
Dependent on their usage Digital Certificates are available in a number of different types:
- Personal: Used by Individuals requiring secure email and web-based transactions.
- Organisation: Used by corporates to identify employees for secure email and web-based transactions.
- Server: To prove ownership of a domain name and establish SSL / TLS encrypted sessions between their website and a visitor.
- Developer: To prove authorship and retain the integrity of distributed software programs.
Different Classes of Digital Certificate
Digital Certificates are available in different classes depending on the level of verification carried out by the CA into the legitimacy of the information submitted by the applicant. Generally speaking, the higher the class, the higher the level of verification. A high level of verification could then mean that the Certificate may be used for more critical functions, such as online banking or providing one’s identity for e-commerce transaction payment protocols.
Certificate class is tied closely with Certificate type. Low classes contain little or no amount of personal information (for example just an email address). Certificates belonging to such classes may be used for secure email, however, do prove impractical if being used by an organisation or web entity that requires the Certificate to prove trust. Therefore the usage and applicability for specific tasks for the Certificate is highly dependent on the class (level of verification carried out by the CA).