Digital Certificates

What is a Digital Certificate?

A digital certificate is the equivalent of your business card in the e-commerce world. It says who you are.

Digital certificates are base on Private Key/Public Key technology.

What is Private Key/Public Key Technology?

Ciphers are used to encrypt data. Two of the more common types are:

Symmetrical Ciphers – They have one key which is used to encrypt and decrypt data. Some common symmetrical ciphers are:

DES IDEA

Asymmetrical Ciphers – These ciphers have two keys, one used for encryption and one for decryption. The most common type of these is Public Key and Private Key encryption.

Public and Private Keys can be used to authenticate both the source and recipient of a message.

How does Public/Private Key Encryption work?

In the following example Bill and Monica are close friends.

They have exchange Public Keys with each other so that they can conduct private correspondence.

The Key to the Bill and Monica Story!

Bill want to go out on a hot date with Monica so he sends her an email asking her out. Bill wants Monica to know the message is from him so he digitally signs it using his Private Key.

Monica gets the message and sees it is digitally signed by Bill. She knows that she can validate his signature by using his Public Key. She does this and now knows that it is from Bill.

But Bill is an amorous man and this message might not of been for her. He could be bulk Billing. What’s a girl to do?

The Key Goes On!

Monica decides to respond to Bill, but she only wants him to be able to read her message. She encrypts her message using Bills Public Key.

Bill gets Monica’s email and uses his Private Key to decrypt the message.

He has been made a very tempting offer, but he only knows that the message is for him. He is not certain it is from Monica.

Key Decisions!

Bill is very excited about Monica's offer and wants to ensure that Monica knows that the response is from him and is only for her.

Bill writes his response and signs this using his private key. This way Monica will know it is from him.

Bill then encrypts the message using Monica’s public key. The message can now only be decrypted by Monica's Private Key. As Monica is the only one with her Private Key this means that she knows the message is specifically for her. When she opens her email she will know that the message was for her and that it came from Bill. Let the good times roll!

Where else can you use Digital Certificates?

Many organisations use SSL Digital Certificates.These are used to facilitate

encryption of links for Web/Email applications.

Why use an SSL Certificate? Prior to the use of SSL Certificates, sensitive

information transferred using Web/Email based applications, were often passed between the computer and the server in clear text.

This meant that Userids, Passwords and Information could all be viewed if someone made use of a sniffing tool such as Packet Sniffer.

SSL certificates can provide organisations with: Secure e-mail Secure Electronic Commerce Secure Software Publishing Client Authentication Smart Card logon capabilities.

How Does SSL Encryption Work? Secure Socket Layer (SSL) come in 40 and 128 bit

encryption. These bit numbers designate the level of encryption used. For example the 40 bit encryption key has 2 to the 40th power number of combinations (or 1,099,511,627,776) different key combination possibilities.

The only real way to crack an SSL document is by using brute force attacks, using every key combination possible until you hit the correct one.

This is extremely time consuming. One of the first crack examples of this type used 120 computers running parallel processes and took 8 days to search half the key space.

How Do You Get an SSL Certificate?

SSL certificates are generated by a Certification Authority (CA). A CA provides the following services. They: Issue Certificates for:

Server Authentication; Client Authentication; and Secure Email.

Integrate with Active Directory (AD) to: Publish Certificates and CRLS; and Provide CA Information.

Can provide Certificate Enrollment using mechanisms such as:

ActiveX control or Win32 wizard.

What Types of CA’s Exist?

Types of CA’s are:Enterprise:

Domain authentication of requests Templates define certificate content

Stand Alone: Out-of-band authentication of requests

Exchange: KMS – specific policy modules KMS provides key archival/recovery for email.

How does an Organistion get their Certificates?

Digital certificates can be:

Self-signed – meaning that the organisation is the CA.OR

Commercially signed – which means that the certificates are generated using a recognised commercial CA.

VeriSign is one company that generates commercially signed certificates.

Commercial-Signed Certificates

They offer a good degree of assurance to relying parties.

Less management overhead. Commercial-signed certificates are not

easy to forge. However they ARE a costly solution.

Self-Signed Certificates

Don’t offer a good degree of assurance to relying parties.

Require a significant amount of management.

They are easy to forge. They are cost effective.

Commercial or Internal certificates?

There is reasonable grounds for an organisation to generate their own certificates for internal systems.

HOWEVER There is still a need to use Commercially Signed

Certificates when conducting business with external agencies. Some example would be:

Secure e-mail Electronic Commerce