© 2003 Wonder Software Technologies Private Limted. All rights reserved.
|
|
|
|
|
|
|
|
|
|
|
| |
|
| |||||||||||
|
||||||||||||
|
| |||||||||||
|
||||||||||||
|
||||||||||||
|
© 2003 Wonder Software Technologies Private Limted. All rights reserved. |
||||||||||||
WonderCrypt
Digital Certificates
Digital
Certificates
A digital
certificate is just a file.
It contains four
important pieces of information:
·
A public
key.
·
Subject: The name, public
information, of the entity who owns this public key, this is to prove
that
the matching private key is with this
entity.
·
Issuer: The name of the entity
who verifies that the mentioned public key truly belongs to the
mentioned
subject.
·
Fingerprint: A calculated
value in digits.
Your own digital certificate can be either digitally signed by yourself or by a certificate authority. The certificate that is signed by yourself are called Self-Signed Certificates and the certificates signed by a Certificate Authority are called CA-Signed Certificates. You can safely hand out your digital certificates to others since they do not contain your private key.
A Matter of
Trust
A certificate
is a means of creating trust. To make you and others believe that a certain
public key belongs to a specific entity.
Why do we need this
trust?
Public keys
are used for two purposes:
1.
To verify a digital signature
2.
To encrypt a message or a file that after encryption can
only be accessed by a person
who
has the matching private key.
I received an e-mail
that has an attached file, the mail header claims that the file was sent by my
friend Sandy, I open the attachment, I find that the mail was fake and the file
was a virus. How could I have avoided it? If the file was digitally signed by
Sandy and I had verified his digital signature, I would have known that the mail
was fake and I could have avoided implanting a critical virus in my
system.
Similarly, if I am
sending an e-mail to Sandy and I do not wish others to be able to read this
message, what do I do? I encrypt the e-mail using Sandy’s public key. Only Sandy
has the matching private key and thus only he can decrypt this
message.
I have received Sandy’s
digital certificate, in an email sent by him. Anyone e.g. Mr. BigCheat could
have created such a digital certifcate file with public information of Sandy. If
the digital certificate I received is fake, then any message that I encrypt
using contained public key will be read by Mr. BigCheat. So how do I confirm
that this digital certificate truly belongs to Sandy?
Building the
trust
There are two
ways to verify that the digital certificate truly belongs to
Sandy:
1.
If the digital certificate is Self-Signed i.e. the
Subject and the Issuer are the same entity, then I must contact Sandy, the
Subject, using some other means e.g. phone or fax and ask him to tell me the
Fingerprint of his digital certificate. If the Fingerprints on the received
certificate and as faxed to me by Sandy are the same, I can start trusting the
certificate. This has to be done only once in the life time of the certificate.
This mode is very useful for protecting personal communication and does not cost
a penny.
2.
If the digital certificate is CA-Signed i.e. signed by a
Certificate Authority then I must have the digital certificate of this
Certificate Authority and also I must trust this Certificate Authority. The
existing digital certificate of the CA with me verifies the new digital
certificate of my friend Sandy. Hence if I trust a CA then I can safely trust
Sandy’s new certificate signed by this CA. The question may arise that how do I
verify a root CA certificate. The only method that can be used is described in
Step 1, but in this case I do not have to obtain CA’ s digital certificate
fingerprint by fax or phone, CAs publish their digital certificate in prominent
places that can be accessed easily. Some root CA certificates are
typically pre-installed in commercial software. However, getting your public key
signed by a CA costs money.
Getting a digital
certificate
There can be
two ways to get yourself a digital certificate:
1.
Use a software to create a Self-Signed digital
certificate. When you create a private key, a matching public key is
automatically created and placed in a digital certificate as described above.
You can send it to others for your personal
correspondence.
2.
Use a software to create a Certificate Signing Request
and get it signed by a Certificate Authority to get a CA-Signed digital
certificate. If you use a browser to create your digital certificate, your
browser generates your random private key, and sends only the public key to the
certificate authority. The process of purchasing a certificate may require
installing the certificate authority's public key in your browser, three visits
to the certificate authority's website, and some email. Depending on the
cost/class of the certificate, the certificate authority may need a substantial
amount of time to check you out before issuing the
certificate.
Types of digital
certificate
There are
many different types of certificate. However, the X.509 standard
(http://www.ietf.org/rfc/rfc2459.txt) has resolved the problem that was getting
created due to competition between vendors, vendor specific formats etc. Now,
more or less, every vendor is offering X.509 certificate
support.
The formats are recognized by the certificate file name extension, some of which are:
*.cer - X.509/DER binary
format
*.cer - X.509/DER BASE64
encoded
*.crl – Certificate
Revocation List
*.crt - X.509/DER binary
format
*.p12 -
#PKCS12
*.pfx -
#PKCS12
*.p7b -
#PKCS7
Buying a
CA-Signed
digital
certificate
There are
many Certificate Authorities from whom a digital certificate can be purchased,
E.g.:
1.
Belsign
http://www.belsign.com
2.
CyberTrust
http://www.cybertrust.com
3.
Entrust
http://freecerts.entrust.com
4.
GlobalSign
http://www.globalsign.net
5.
Thawte
http://www.thawte.com
6.
VeriSign
http://digitalid.verisign.com