Posted by : Unknown Friday, May 3, 2013

         DIGITAL CERTIFICATES

Introduction to digital certificates:                                       

A digital certificate is equivalent to an electronic ID card. It serves two purposes:
  • To establish the identity of the owner of the certificate
  • To distribute the owner's public key
Certificates provide a way of authenticating users, referred to as authentication by trusted third parties. Instead of requiring each participant in an application to authenticate every user, third-party authentication relies on the use of certificates, electronic ID cards.

Certificates are issued by trusted parties, called certificate authorities (CAs). These authorities can be commercial ventures or they can be local entities, depending on the requirements of your application. Regardless, the CA is trusted to adequately authenticate users before issuing certificates to them. Also, when a CA issues certificates, it digitally signs them. When a user presents a certificate, the recipient of the certificate validates it by using the digital signature. If the digital signature validates the certificate, the certificate is known to be intact and authentic. Participants in an application need only to validate certificates; they do not need to authenticate users themselves. The fact that a user can present a valid certificate proves that the CA has authenticated the user. The descriptor trusted third-party indicates that the system relies on the trustworthiness of the CAs.

What are digital certificates?
Digital certificates are primarily used to authenticate communication over the Internet. There are three categories of digital certificates. Web Server Certificates, Developer Certificates and Personal Certificates:

1.      Web Server Certificates: These are the electronic equivalent of a business license. It assures potential customers that the site they are visiting is a legitimate business.
2.     Developer Certificates: These certificates enable developers to sign software and macros and deliver them safely to customers over the Internet. The customer can be confident that the software or macros are legitimate.
3.     Personal Certificates: These certificates secures e-mail conversations and access to corporate web servers.



For simplicity purposes, this paper will focus primarily on Personal Digital Certificates, which are used primarily to authenticate e-mail communication.
Personal certificates are like a driver’s license or a passport. They are both provided to you by a trusted source. When you show this as proof of identity to someone else, it gives them confidence they are dealing with the real you. For a company, certificates are similar to a business license in that they validate a business is legitimate.
If Sue sees a signed icon in an e-mail message she receives from Joe, she can be assured that the e-mail is actually from Joe. Personal digital certificates provide assurance that the person or entity sending the e-mail is who they say they are.
Digital certificates allow one to have confidence that the person or company with whom they are communicating is indeed who they claim to be. When used in combination with encryption (this ability comes with the certificate), certificates provide additional assurance that only the intended party can access the data and that the data will not be compromised en route. Digital certificates allow applications like e-mail, online trading, and credit card purchasing to be conducted in a secure environment.
The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message verifies the certificate using the certifying authority's public key and, now confident of the public key of the sender, verifies the message's signature. There may be two or more certificates enclosed with the message, forming a hierarchical certificate chain, wherein one certificate testifies to the authenticity of the previous certificate.
At the end of a certificate hierarchy is a top-level certifying authority, which is trusted without a certificate from any other certifying authority. The public key of the top-level certifying authority must be independently known, for example, by being widely published.
Definitions:
As I was researching this paper, I was amazed at how difficult these companies make it for a non-technical person to understand what a digital certificate is and why they are necessary.
Take a look at the four definitions below. The first two are from providers’ web sites and require a basic understanding of encryption and private and public keys. The second two are from informational websites that are designed to help people understand the terms used in e-commerce. Notice the lack of jargon and the use of familiar terms in the second two definitions.


Provider Definitions:
RSA Security defines digital certificates as "digital documents attesting to the binding of a public key to an individual or other entity. They allow verification of the claim that a specific public key does in fact belong to a specific individual. "
Equifax defines them as "electronic credentials that allow secure communications between two parties. Digital certificates help identify and encrypt electronic messages over networks like the Internet, company intranets or extranets. A digital certificate attaches the holder’s identity to a unique pair of software keys: a
Informational Website Definitions:
Internet.com defines digital certificates as the electronic counterparts to drivers' licenses, passports, or membership cards. They are computer files a person attaches to anything they may send over the Internet. They contain information like the certificate owner's name, the name of the certificate authority (CA) that issued it and a public encryption key. Each party in a SET transaction requires a digital certificate that identifies him as the legitimate user of a bank card or credit card or merchant account.
Webopedia.com defines them as "an attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply."

X.509
As one might expect, digital certificates are not all the same. And, therefore, even if you have a digital certificate, the person you are communicating with may not know it because the software they are using doesn’t recognize it.
In an attempt to overcome this issue, the International Telecommunications Union (ITU) developed the X.509 standard – which defines what information must be contained in a digital certificate.
Here’s the catch, the X.509 standard is not really as standard at all. Instead, X.509 is a recommendation. This means that it has not yet been officially defined or approved and as a result, companies have implemented the "standard" in different ways.


For example, "both Netscape and Microsoft use X.509 certificates to implement SSL in their Web servers and browsers. But an X.509 Certificate generated by Netscape may not be readable by Microsoft products, and vice versa.

Requesting certificates

To get a certificate, you must send a certificate request to the CA. The certificate request includes the following:
  • The distinguished name of the owner (the user for whom the certificate is being requested).
  • The public key of the owner.
  • The digital signature of the owner.
The message-digest function is run over all these fields.
The CA verifies the signature with the public key in the request to ensure that the request is intact and authentic. The CA then authenticates the owner. Exactly what the authentication consists of depends on a prior agreement between the CA and the requesting organization. If the owner in the request is successfully authenticated, the CA issues a certificate for that owner.

Contents of a digital certificate :

A certificate contains several pieces of information, including information about the owner of the certificate and the issuing CA. Specifically, a certificate includes:
  • The distinguished name (DN) of the owner. A DN is a unique identifier, a fully qualified name including not only the common name (CN) of the owner, but the owner's organization and other distinguishing information.
  • The public key of the owner.
  • The date on which the certificate was issued.
  • The date on which the certificate expires.
  • The distinguished name of the issuing CA.
  • The digital signature of the issuing CA. (The message-digest function is run over all the preceding fields.)
The information in a certificate allows an application to decide if it should honor the certificate. With the expiration date, the application can determine if the certificate is still valid. With the name of the issuing CA, the application can check that the CA is considered trustworthy by the site.

Using certificates:

 Chains of trust and self-signed certificates

To verify the digital signature on a certificate, you must have the public key of the issuing CA. Since public keys are distributed in certificates, you must have a certificate for the
issuing CA. That certificate will be signed by the issuer. One CA can certify other CAs, so there can be a chain of CAs issuing certificates for other CAs, all of whose public keys you need. Eventually, though, you reach a starting point. The starting point is a root CA that issues itself a self-signed certificate. In order to validate a user's certificate, you need certificates for all intervening participants, back to the root CA. Then you have the public keys you need to validate each certificate, including the user's. These keys and certificates are stored in keyring. .











































                                                                                                                 
How do you use Digital Certificates?
Personal certificates are primarily used for e-mail. Once a person has purchased a digital certificate from one of the many sources (listed later in this paper), they can begin signing outgoing messages. When sending e-mail using Netscape Messenger, select the Message Sending Options tab in the message window and enable the signed checkbox.
To have the system automatically sign all outgoing messages, open the Netscape Communicator Security Advisor by choosing Security Info from the Communicator menu. Click on the Messenger link to display the Messenger Security Settings and enable the Sign mail messages, when it is possible checkbox. To automatically sign outgoing discussion (news) messages enable the Sign discussion (news) messages, when it is possible checkbox.
The recipient will see a signed icon that indicates the message has been signed – that is, the recipient will see a signed icon if he or she is also using Netscape (we’ll get into this issue later in the paper as well).

How  DCs  protect the data
Encryption & Digital Certificates are the solution for Internet Commerce. Used together, they protect your data as it travels over the Internet.
Encryption is the process of using a mathematical algorithm to transform information into a format that can't be read (this format is called cipher text). Decryption is the process of using another algorithm to transform encrypted information back into a readable format (this format is called plain text).
Digital Certificates are your digital passport, an Internet ID. They are verification of you who you are and the integrity of your data.
Combined, encryption and digital certificates protect and secure your data in the following four ways:.
  • Authentication: This is digital verification of who you are, much in the same way your driver's license proves your identity. It is very easy to send spoofed email. I can email anyone in the world pretending I am the President of the United States. Using standard email, there is no way to verify who the sender is, i.e. if it is actually the President. With digital signatures and certificates, you digitally encode verifiable proof of your identity into the email.
  • Integrity: This is the verification that the data you sent has not been altered. When email or other data travels across the Internet, it routes through various gateways (way stations). It is possible for people to capture, alter, then resend the message. Example, your boss emails the company president stating that you should be fired. It is possible for you to intercept that email and change it saying you deserve a $10,000 raise. With digital certificates, your email cannot be altered without the recipient knowing.
  • Encryption: This ensures that your data was unable to be read or utilized by any party while in transit. Your message is encrypted into incomprehensible gibberish before it leaves your computer. It maintains it encrypted (gibberish) state during it's travel through the Internet. It is not de-crypt until the recipient receives it. Because of the public-key cryptography used (discussed later) only the recipient can decipher the received message, no one else can.
  • Token verification: Digital tokens replace your password which can be easily guessed. Tokens offer a more secure way of access to sensitive data. The most common way to secure data or a web site is with passwords. Before anyone access the data, they are prompted with their user login id and password. However, this is easily cracked using various security software (such as Crack 5.0, etc.). Also, passwords can be found with other means, such as social engineering. Passwords are not secure. Token verification is more secure. Your digital certificate is an encrypted file that sits on your hardrive. When you need access to a system, that systems asks you for your digital certificate instead of a password. Your computer would then send the certificate, in encrypted format, through the Internet, authorizing you for access. For this to be compromised, someone would have to copy this file from your computer, AND know your password to de-crypt the file.
Digital Certificate Providers
                  CertCo: www.certco.com/
Digital Signature Trust: www.digsigtrust.com
Encommerce: www.encommerce.com/
Entegrity: www.entegrity.com/
Entrust: www.entrust.com/
Equifax http://www.equifax.com/
GTE CyberTrust: www.cybertrust.gte.com/cybertrust/index.html
Litronic: www.litronic.com/
RSA Security: www.rsasecurity.com/
Setco: www.setco.org/
Thawte: www.thawte.com/
Valicert: www.valicert.com/
Verisign: digitalid.verisign.com/client/class1MS.htm
Xcert: www.xcert.com/
 Pricing
Prices range widely for digital certificates. The following is a comparison of Thawte and Verisign prices.
Service
Thawte
Verisign



Server Certificates


Initial Server Certificate
$125
$349
Server Certificate Renewal
$100
$249



Personal Certificates


Class 1
Free
$14.95
Class 2
$20
$14.95



Developer Certificates


Initial Certificate
$200
$400
Renewal
$100
$400

 Conclusion

Digital Certificates provide a way to authenticate communication on the Internet. They come in three flavors: personal, web server, and developer certificates. Personal certificates are primarily used for e-mail.
Universal acceptance and widespread use will depend on the industry’s ability to communicate in understandable terms and the development of a true standard

Four factors emerge from the ten survey responses as possible reasons for the lagging acceptance of certificates by technical documentation departments:
  • cost
  • compatibility
  • perceived need
  • familiarity
First, the capital outlay is significant and needs to be justified. It easily costs over $10,000 to deploy an adequately configured digital certificate system. In addition, there are staff training and ongoing system maintenance costs that, in most cases, exceed the capital investment.
Second, while there are standards for digital certificate formatting and content, not all applications recognize the same endorsing entities. This application incompatibility often results in false warnings that a digital certificate may not be valid even though it is valid, and defeat the fundamental purpose of the system.
Third, it is difficult to isolate a case of document theft or compromise that would only be mitigated by certificates and not by other security measures such as stronger password protection. Thus, there is no clear need perceived by technical documentation professionals to use digital certificates.
Finally, as stated at the beginning, encryption is a mystery to many of us. Put all these factors together and the response rate is not surprising. A larger survey reaching more industries and writers is needed for conclusive results. That said, the digital certificate remains the most promising solution for ubiquitous electronic authentication and the leading applications are delivering the ability to use it today. So, although it is new to many of us, if popular novelist Stephen King is making it work, chances are you will have a certificate of your own tucked securely away in your PC in the coming years.
The knowledge about different revocation methods is not very widely spread. Efficient and practicable methods are still needed and a topic of today's research. A main requirement for new developments and new ideas is that they can easily be integrated in widespreadly used X.509 certificates. 

{ 2 comments... read them below or Comment }

  1. This comment has been removed by the author.

    ReplyDelete
  2. This article covers almost everything about digital certificates. I find it the most relevant and excellent guide which all the readers will also find helpful.
    digital certificate

    ReplyDelete

- Copyright © Seminar Sparkz Inc -- Powered by Semianr Sparkz Inc - Designed by Shaik Chand -