Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Technology Overview
This guide is a brief introduction to the standardized technology of Digital Certificate and PKI.
Digital Certificates are a means by which consumers and businesses can utilise the security applications of
Public Key Infrastructure (PKI). PKI comprises of the technology to enables secure e-commerce and Internet
based communication.
What is PKI?
Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies that collectively
provide a framework for addressing the previously illustrated fundamentals of security - authentication,
confidentiality, integrity, non-repudiation and access control.
PKI enables people and businesses to utilise a number of secure Internet applications. For example, secure and
legally binding emails and Internet based transactions, and services delivery can all be achieved through the use
of PKI.
PKI utilises two core elements; Public Key Cryptography and Certification Authorities.
The only way to transform the data back into intelligible form is to reverse the encryption (known as decryption).
Public Key Cryptography encryption and decryption is performed with Public and Private Keys.
Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted
by its corresponding Private Key and vice versa.
For example, if Bob wants to send sensitive data to Alice, and wants to be sure that only Alice may be able to
read it, he will encrypt the data with Alice's Public Key. Only Alice has access to her corresponding Private Key
and as a result is the only person with the capability of decrypting the encrypted data back into its original form.
As only Alice has access to her Private Key, it is possible that only Alice can decrypt the encrypted data. Even if
someone else gains access to the encrypted data, it will remain confidential as they should not have access to
Alice's Private Key.
Public Key Cryptography can therefore achieve Confidentiality. However another important aspect of Public Key
Cryptography is its ability to create a Digital Signature.
< Previous | Next >
Digital Signatures
Digital Signatures apply the same functionality to an e-mail message or data file that a handwritten signature
does for a paper-based document. The Digital Signature vouches for the origin and integrity of a message,
document or other data file.
The creation of a Digital Signature is a complex mathematical process. However as the complexities of the
process are computed by the computer, applying a Digital Signature is no more difficult that creating a
handwritten one!
The following process illustrates in general terms the processes behind the generation of a Digital Signature:
1. Alice clicks 'sign' in her email application or selects which file is to be signed.
2. Alice's computer calculates the 'hash' (the message is applied to a publicly known mathematical hashing
function that coverts the message into a long number referred to as the hash).
3. The hash is encrypted with Alice's Private Key (in this case it is known as the Signing Key) to create the Digital
Signature.
4. The original message and its Digital Signature are transmitted to Bob.
5. Bob receives the signed message. It is identified as being signed, so his email application knows which
actions need to be performed to verify it.
6. Bob's computer decrypts the Digital Signature using Alice's Public Key.
7. Bob's computer also calculates the hash of the original message (remember - the mathematical function used
by Alice to do this is publicly known).
8. Bob's computer compares the hashes it has computed from the received message with the now decrypted
hash received with Alice's message.
Represented diagrammatically:
If the message has remained integral during its transit (i.e. it has not been tampered with), when compared the
two hashes will be identical.
However, if the two hashes differ when compared then the integrity of the original message has been
compromised. If the original message is tampered with it will result in Bob's computer calculating a different hash
value. If a different hash value is created, then the original message will have been altered. As a result the
verification of the Digital Signature will fail and Bob will be informed.
Due to the recent Global adoption of Digital Signature law, Alice may now sign a transaction, message or piece
of digital data, and so long as it is verified successfully it is a legally permissible means of proof that Alice has
made the transaction or written the message.
Previously we referred to Public Keys being available to everyone, the next question is how do we go about
making them available to everyone in a safe, secure and scalable way? Generally speaking we use small data
files known as Digital Certificate.
< Previous | Next >
Users may enroll for a Digital Certificate via the Web. Upon completion of the necessary
forms, the user's Internet Browser will create a Public Key Pair. The Public half of the
key pair is then sent to the CA along with all other data to appear in the Digital
Certificate, while the Private Key is secured on the user's chosen storage medium (hard
disk, floppy or hardware token, etc).
The CA must verify the submitted data before binding the identification data to the
submitted Public Key. This prevents an impostor obtaining a Certificate that binds his
Public Key to someone else's identity and conducting fraudulent transactions using that
identity.
If submitted data is in good order the CA will issue a Digital Certificate to the applicant
stated within the submitted information. Upon issuance, the CA will enter the Digital
Certificate into a public repository.
Personal: Used by Individuals requiring secure email and web based transactions.
Organisation: Used by corporates to identify employees for secure email and
web based transactions.
Server: To prove ownership of a domain name and establish SSL / TLS encrypted
sessions between their website and a visitor.
Developer: To prove authorship and retain integrity of distributed software
programs.
Identification / Authentication:
The CA attests to the identity of the Certificate applicant when it signs the Digital Certificate.
Confidentiality:
The Public Key within the Digital Certificate is used to encrypt data to ensure that only the intended recipient can
decrypt and read it.
Integrity:
By Digitally Signing the message or data, the recipient has a means of identifying any tampering made on the
signed message or data.
Non-Repudiation:
A signed message proves origin, as only the sender has access to the Private Key used to sign the data.
Access Control:
Access Control may be achieved through use of the Digital Certificate for identification (and hence the
replacement of passwords etc). Additionally, as data can be encrypted for specific individuals, we can ensure that
only the intended individuals gain access to the information within the encrypted data.
< Previous | Next >
To view the specific details of a Certificate, select the Certificate from the boxed list and click 'view'. The
Certificate details will then be displayed. These details give general information about the Certificate, who owns
it, who issued it, and what it may be used for:
The above Certificate states that the corresponding Private Key is also held. This informs us that this Certificate
is being viewed by its owner (as only they have access to the Private Key stated).
To view additional details, click the 'Details' tab. This section details the contents of the Certificate as dictated by
the x.509 standard. Clicking on a field will display the specifics of a field:
As discussed previously, it is imperative that a Trusted Certification Authority issue the Digital Certificate in order
to prevent fraudulent Certificates being used throughout the PKI. Therefore, we must be able to verify that the
Certificate was issued by a CA. This information may be checked in the Certificate Path details: