Introduction to Digital Certificate

Technology Overview
This guide is a brief introduction to the standardized technology of Digital Certificate and PKI.
Digital Certificates are a means by which consumers and businesses can utilise the security applications of
Public Key Infrastructure (PKI). PKI comprises of the technology to enables secure e-commerce and Internet
based communication.

Why is security needed on the Internet?

We are now experiencing the information age. The number of people and businesses online is continuing to
increase at an unprecedented rate. As access becomes faster and cheaper such people will spend even more
time connected to the Internet for personal communication and business transactions.
However, the Internet is an open communications network. Anybody can use the Internet, and consequently
anyone can exploit its vulnerabilities for fraudulent gain. If the Internet is to succeed as a business and
communications tool it requires the fundamentals of security.

What does security provide?

Identification / Authentication:
The persons / entities with whom we are communicating are really who they say they are.
Confidentiality:
The information within the message or transaction is kept confidential. It may only be read and understood by the
intended sender and receiver.
Integrity:
The information within the message or transaction is not tampered accidentally or deliberately with en route
without all parties involved being aware of the tampering.
Non-Repudiation:
The sender cannot deny sending the message or transaction, and the receiver cannot deny receiving it.
Access Control:
Access to the protected information is only realized by the intended person or entity.
All the above security properties can be achieved and implemented through the use of Public Key Infrastructure
(in particular Digital Certificates).
Next >

What is PKI?
Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies that collectively
provide a framework for addressing the previously illustrated fundamentals of security - authentication,
confidentiality, integrity, non-repudiation and access control.
PKI enables people and businesses to utilise a number of secure Internet applications. For example, secure and
legally binding emails and Internet based transactions, and services delivery can all be achieved through the use
of PKI.
PKI utilises two core elements; Public Key Cryptography and Certification Authorities.

Encryption and Decryption

The benefits of PKI are delivered through the use of Public Key Cryptography. A core aspect of Public Key
Cryptography is the encryption and decryption of digital data.
Encryption is the conversion of data into seemingly random, incomprehensible data. Its meaningless form
ensures that it remains unintelligible to everyone for whom it is not intended, even if the intended have access to
the encrypted data.

The only way to transform the data back into intelligible form is to reverse the encryption (known as decryption).
Public Key Cryptography encryption and decryption is performed with Public and Private Keys.

Public Key and Private Keys

The Public and Private key pair comprise of two uniquely related cryptographic keys (basically long random
numbers). Below is an example of a Public Key:
3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31 C4FB C6E4 4811
7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673 CA2B 4003 C266 E2CD CB02 0301
0001
The Public Key is what its name suggests - Public. It is made available to everyone via a publicly accessible
repository or directory. On the other hand, the Private Key must remain confidential to its respective owner.

Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted
by its corresponding Private Key and vice versa.
For example, if Bob wants to send sensitive data to Alice, and wants to be sure that only Alice may be able to
read it, he will encrypt the data with Alice's Public Key. Only Alice has access to her corresponding Private Key
and as a result is the only person with the capability of decrypting the encrypted data back into its original form.

As only Alice has access to her Private Key, it is possible that only Alice can decrypt the encrypted data. Even if
someone else gains access to the encrypted data, it will remain confidential as they should not have access to
Alice's Private Key.
Public Key Cryptography can therefore achieve Confidentiality. However another important aspect of Public Key
Cryptography is its ability to create a Digital Signature.
< Previous | Next >

Digital Signatures
Digital Signatures apply the same functionality to an e-mail message or data file that a handwritten signature
does for a paper-based document. The Digital Signature vouches for the origin and integrity of a message,
document or other data file.

How do we create a Digital Signature?

The creation of a Digital Signature is a complex mathematical process. However as the complexities of the
process are computed by the computer, applying a Digital Signature is no more difficult that creating a
handwritten one!
The following process illustrates in general terms the processes behind the generation of a Digital Signature:
1. Alice clicks 'sign' in her email application or selects which file is to be signed.
2. Alice's computer calculates the 'hash' (the message is applied to a publicly known mathematical hashing
function that coverts the message into a long number referred to as the hash).
3. The hash is encrypted with Alice's Private Key (in this case it is known as the Signing Key) to create the Digital
Signature.
4. The original message and its Digital Signature are transmitted to Bob.
5. Bob receives the signed message. It is identified as being signed, so his email application knows which
actions need to be performed to verify it.
6. Bob's computer decrypts the Digital Signature using Alice's Public Key.
7. Bob's computer also calculates the hash of the original message (remember - the mathematical function used
by Alice to do this is publicly known).
8. Bob's computer compares the hashes it has computed from the received message with the now decrypted
hash received with Alice's message.
Represented diagrammatically:

If the message has remained integral during its transit (i.e. it has not been tampered with), when compared the
two hashes will be identical.
However, if the two hashes differ when compared then the integrity of the original message has been
compromised. If the original message is tampered with it will result in Bob's computer calculating a different hash
value. If a different hash value is created, then the original message will have been altered. As a result the
verification of the Digital Signature will fail and Bob will be informed.

Origin, Integrity and Non-Repudiation:

Trent, who wants to impersonate Alice, cannot generate the same signature as Alice because she does not have
Alice's Private Key (needed to sign the message digest). If instead, Trent decides to alter the content of the
message while in transit, the tampered message will create a different message digest to the original message,
and Bob's computer will be able to detect that. Additionally, Alice cannot deny sending the message as it has
been signed using her Private Key, thus ensuring non-repudiation.

Due to the recent Global adoption of Digital Signature law, Alice may now sign a transaction, message or piece
of digital data, and so long as it is verified successfully it is a legally permissible means of proof that Alice has
made the transaction or written the message.
Previously we referred to Public Keys being available to everyone, the next question is how do we go about
making them available to everyone in a safe, secure and scalable way? Generally speaking we use small data
files known as Digital Certificate.
< Previous | Next >

What is a Digital Certificate, and why do you need one?

A Digital Certificate is a digital file used to cryptographically bind an entity's Public Key to specific attributes
relating to its identity. The entity may be a person, organisation, web entity or software application. Like a driving
license or passport binds a photograph to personal information about its holder, a Digital Certificate binds a
Public Key to information about its owner.
In other words, Alice's Digital Certificate attests to the fact that her Public Key belongs to her, and only her. As
well as the Public Key, a Digital Certificate also contains personal or corporate information used to identify the
Certificate holder, and as Certificates are finite, a Certificate expiry date.

Digital Certificates and Certification Authorities

Digital Certificates are issued by Certification Authorities (CA). Like a central trusted body is used to issue driving
licenses or passports, a CA fulfils the role of the Trusted Third Party by accepting Certificate applications from
entities, authenticating applications, issuing Certificates and maintaining status information about the Certificates
issued.
The incorporation of a CA into PKI ensures that people cannot masquerade on the Internet as people they are
not by issuing their own fake Digital Certificates for illegitimate use.
The Trusted Third Party CAs will verify the identity of the Certificate applicant before attesting to their identity by
Digitally Signing the applicant's Certificate. Because the Digital Certificate itself is now a signed data file, its
authenticity can be ascertained by verifying its Digital Signature. Therefore, in the same way we verify the Digital
Signature of a signed message, we can verify the authenticity of a Digital Certificate by verifying its signature.
Because CAs are trusted, their own Public Keys used to verify the signatures of issued Digital Certificates are
publicised through many mediums widely.
The CA provides a Certification Practice Statement (CPS) that clearly states its policies and practices regarding
the issuance and maintenance of Certificates within the PKI. The CPS contains operational information and legal
information on the roles and responsibilities of all entities involved in the Certificate lifecycle (from the day it is
issued to the day it expires).
Digital Certificates are issued under the technical recommendations of the x.509 Digital Certificate format as
published by the International Telecommunication Union-Telecommunications Standardization Sector (ITU-T).
< Previous | Next >

Enrolling for a Digital Certificate

Users may enroll for a Digital Certificate via the Web. Upon completion of the necessary
forms, the user's Internet Browser will create a Public Key Pair. The Public half of the
key pair is then sent to the CA along with all other data to appear in the Digital
Certificate, while the Private Key is secured on the user's chosen storage medium (hard
disk, floppy or hardware token, etc).
The CA must verify the submitted data before binding the identification data to the
submitted Public Key. This prevents an impostor obtaining a Certificate that binds his
Public Key to someone else's identity and conducting fraudulent transactions using that
identity.
If submitted data is in good order the CA will issue a Digital Certificate to the applicant
stated within the submitted information. Upon issuance, the CA will enter the Digital
Certificate into a public repository.

Distributing Digital Certificates

As well as Digital Certificates being available in public repositories, they may also be
distributed through the use of Digital Signatures. For example, when Alice Digitally signs
a message for Bob she also attaches her Certificate to the outgoing message. Therefore,
upon receiving the signed message Bob can verify the validity of Alice's Certificate. If it
is successfully verified, Bob now has Alice's Public Key and can verify the validity of the
original message signed by Alice.

Different types of Digital Certificate

Dependent on their usage Digital Certificates are available in a number of different types:

Personal: Used by Individuals requiring secure email and web based transactions.
Organisation: Used by corporates to identify employees for secure email and
web based transactions.

Server: To prove ownership of a domain name and establish SSL / TLS encrypted
sessions between their website and a visitor.
Developer: To prove authorship and retain integrity of distributed software
programs.

Different Classes of Digital Certificate

Digital Certificates are available in different classes dependent on the level of verification
carried out by the CA into the legitimacy of the information submitted by the applicant.
Generally speaking, the higher the class, the higher the level of verification. A high level
of verification could then mean that the Certificate may be used for more critical
functions, such as online banking or providing ones identity for e-commerce transaction
payment protocols.
Certificate class is tied closely with Certificate type. Low classes contain little or no
amount of personal information (for example just an email address). Certificates
belonging to such classes may be used for secure email, however do prove impractical if
being used by an organisation or web entity that requires the Certificate to prove trust.
Therefore the usage and applicability for specific tasks for the Certificate is highly
dependent on the class (level of verification carried out by the CA).
Real world applications for Digital Certificates
So far we have briefly illustrated the theory behind the Digital Certificate and its role in the deliverance of PKI.
The following pages now look at the practicalities of using a Digital Certificate, where to find them on your PC,
and what they actually look like.
Using Digital Certificates to deliver the 5 primary security functions

Identification / Authentication:
The CA attests to the identity of the Certificate applicant when it signs the Digital Certificate.

Confidentiality:
The Public Key within the Digital Certificate is used to encrypt data to ensure that only the intended recipient can
decrypt and read it.

Integrity:
By Digitally Signing the message or data, the recipient has a means of identifying any tampering made on the
signed message or data.

Non-Repudiation:
A signed message proves origin, as only the sender has access to the Private Key used to sign the data.

Access Control:
Access Control may be achieved through use of the Digital Certificate for identification (and hence the
replacement of passwords etc). Additionally, as data can be encrypted for specific individuals, we can ensure that
only the intended individuals gain access to the information within the encrypted data.
< Previous | Next >

How do I view Digital Certificates on my PC?

You may view your Digital Certificate store by:

For MS Internet Explorer Users:

1. Open your MS Internet Explorer
2. Click on the Tools menu
3. From the drop down list select Internet Options
4. Click the Content tab
5. Click the Certificates button
If you have enrolled for one (or more), your Digital Certificates will appear within the Personal section. If you
have received or downloaded Other People's Digital Certificates, they will appear in the Other People section.
You may also view all Intermediary and Root Certificates (belonging to Certification Authorities from this
Manager.

To view the specific details of a Certificate, select the Certificate from the boxed list and click 'view'. The
Certificate details will then be displayed. These details give general information about the Certificate, who owns
it, who issued it, and what it may be used for:

The above Certificate states that the corresponding Private Key is also held. This informs us that this Certificate
is being viewed by its owner (as only they have access to the Private Key stated).
To view additional details, click the 'Details' tab. This section details the contents of the Certificate as dictated by
the x.509 standard. Clicking on a field will display the specifics of a field:

As discussed previously, it is imperative that a Trusted Certification Authority issue the Digital Certificate in order
to prevent fraudulent Certificates being used throughout the PKI. Therefore, we must be able to verify that the
Certificate was issued by a CA. This information may be checked in the Certificate Path details:

For Netscape Users:

1. Open your Netscape Communicator
2. Click on the Communicator menu
3. From the drop down list select Tools and then select Security Info
4. Click on the Certificates link to view and learn more about each Certificate type stored by Netscape

What does my Private Key look like?

Private Keys are not easily viewed simply because they need to remain secure. They exist for the most part in an
encrypted state within the registry of the Operating System. However, if specified at the time of key pair
generation, it is possible to export a Private Key as a data file for backup purposes. Like any cryptographic key,
Private Keys are simply long, random numbers.

Preventing unauthorized use of a Private Key

To prevent unauthorized use of a Private Key (especially if the Private Key resides on shared computer) you may
specify that access control be applied to the usage of the Private Key. Therefore, when the Private Key is
required (for decryption or digital signing), you will be required to confirm use of or will be prompted for the
password you have attached to that Private Key.