Digital certificates

1
Digital certificates
2

• We have previously considered topics such as user
  authentication, document integrity checks, and
  encryption. The introduction of solutions to
  each of these topics serves to improve the
  reliability of networked resources and increase
  our confidence in on-line transactions.

3

• While these innovations are helpful, they are not
  sufficient to replicate the sort of user
  authentication we would have in face-to-face
  encounters, nor would they irrefutably connect a
  person or business to a particular document or
  transaction, something quite necessary when
  financial transactions are involved or legally
  binding contracts are established.

4

• in-person authentication process ultimately
  relies on the existence and reliability of
  government-issued identification such as a
  drivers license or passport the government in
  this way serves as an authority that certifies
  identity. These government-issued documents are
  issued based upon yet other documents supplied
  during the application process

5

• Thus there is a hierarchy of certification that
  reinforces the notion that a drivers license is
  an acceptable form of identification.

6

• in-person verification can be done in a matter
  of seconds, and becomes a routine affair.
  However, replicating this procedure on-line is
  more difficult. The on-line version cant
  visually compare your face to your ID, nor
  compare your signature to the previously approved
  government-sanctioned version of your signature.

7

• So what is needed is an on-line mechanism that
  provides a similar sort of assurance from an
  authority that can say, essentially you dont
  know this guy, but I do, and hes okay by me.

8

• That authority in the on-line environment is
  known as a certificate authority (CA), an
  agency whose integrity must be beyond reproach.

9

• A certificate authority establishes protocols to
  ascertain the identity of registrants, and
  supports on-line verification that the identity
  has been proven to the CA. The Certificate
  Authority essentially says I checked this person
  out, and verified that he is who he says he is,
  you have my word on it.

10

• To acquire a digital certificate, an individual
  or organization registers with a certificate
  authority and presents proof of identity. The CA
  requests specific information of the registrant,
  investigates it, and then issues a digital
  certificate that confirms that the CA has
  verified the information independently.

11

• The certificate would typically include the
  following information
•    The registrants name
•   Additional personal information such as an
  e-mail address for a person or a URL for a web
  server
•     A unique registration number
•     The name of the certificate authority
•     The public key of the registrant
•   Dates that reflect certificate validity (start
  and expiration dates)
•      A digital signature seal from the CA that
  verifies authenticity of the certificate

12

• The exchange of digital certificates is a
  facility embedded into web browser functionality,
  such that the existence of certificates is easily
  detected and the certificates are automatically
  exchanged and verified with little or no
  intervention on the part of the user.

13

• By including the public key of the holder in the
  certificate, secure communications can be
  established even with unknown parties. The
  certificate authority includes its own digital
  signature such that any modifications to the
  certificate, such as changing the expiration date
  or personal data of the holder, are readily
  detected and would thereby invalidate the
  certificate.

14

• You can readily view a web sites digital
  certificate through the browser whenever the
  lock icon located in the lower portion of the
  browser window is in the closed position. This
  would signify that the link has been encrypted
  using the Secure Sockets Layer (SSL) encryption
  strategy. A graphic image of the digital
  certificate used to help establish the SSL
  connection can be viewed by clicking on the lock
  icon.

15

• There are three generally accepted levels of
  authentication associated with the certification
  process.

16

• Level 1 The combination of a user ID and
  password is usually described as level one
  security. As noted in the section on user
  authentication, a user ID and password are not
  sufficiently secure as they dont really
  authenticate users at all.

17

•    Applications that rely on Level 1 security
  are therefore subject to higher levels of risk
  and increased incidence of fraud. It is possible
  for someone to obtain a Level 1 digital
  certificate, but the certificate would attest to
  little more than the fact that the person paid a
  fee and has an e-mail account.

18

•   Level 2 The Certificate Authority performs a
  more thorough confirmation of the identity of the
  applicant, typically through arrangements with a
  trusted third party such as a financial
  institution, and in this way can confirm through
  such accounts and cross-references that the
  individual is who they claim to be, and can then
  issue a Level 2 digital certificate.

19

•   Level 3 Attests that the holder physically
  appeared in person, and presented official
  government-issued identification (thus attaining
  the same degree of authentication as in the bank
  teller example). Level 3 validation may also
  include biometric identification.

20

• One of the most important and most frequent uses
  of digital certificates is to confirm that a
  particular public key belongs to a specific
  individual or web server, thus inhibiting
  potential misrepresentation or spoofing
  activities.

21

• A second major use of digital certificates is in
  the verification of digital signatures
• Digital signatures are used to satisfy the
  on-line requirements for the functions served by
  traditional physical signatures.

22

• A popular misconception about digital signatures
  is that they are simply the scanned version of
  a physical signature. This notion is reinforced
  when retail stores have their customers sign a
  digital pad rather than a charge slip, and the
  clerks describe the process as a digital
  signature.

23

• Not to confuse the matter, but a digital
  signature is distinct from a digital signature,
  as we will see.

24

• A hand-written physical signature is required in
  situations such as financial transactions and
  signing binding commitments wherein the signature
  provides a legally-binding affirmative act that
  serves as non-repudiable evidence that binds the
  signer to the document.

25

• A digital signature serves much the same
  purpose as a traditional hand-written signature,
  in that it demonstrably connects a person to a
  particular document or transaction. A digital
  signature must therefore satisfy the legal
  expectations for traditional signatures, but also
  meet additional criteria

26

• 1) It must authenticate the message or document
  so as to ensure its integrity and detect any
  tampering.

27

• 2) It must authenticate the signer so as to
  verify identity even (particularly) if the signer
  is not present.

28

• 3) It should provide the affirmative act that
  associates a specific document with a particular
  signer.And all of this must be accomplished in an
  efficient and secure manner.

29

• The creation of a digital signature involves
  several steps. Recall that in the section on
  document integrity we learned about message
  digest functions.

30

• Message digest functions are a form of hash
  functions that take a variable length text
  document as input and produce an output that can
  be viewed as relatively unique and distinctive,
  thus serving as a sort of fingerprint of that
  document.

31

• If even the slightest change is made to the
  document, the message digest output would also be
  changed. A message digest function is used to
  authenticate a document.

32

• In preparing a digital signature, a particular
  document (or message) is identified, and a
  fingerprint computed using a message digest
  function.

33

• The private key of the signer is then used to
  encrypt the fingerprint of the document, and by
  so doing serves to authenticate the identity of
  the signer as only the signer would possess the
  private key.

34

• The document and the associated digital signature
  together form the affirmative act necessary to
  meet legal expectations. The digital signature
  by itself, not connected to the document, is
  meaningless, as the signature is used to connect
  the signer to a specific document.

35

• The recipient of a digitally signed message can
  then decrypt the signature using the public key
  of the signer, thereby yielding the fingerprint
  of the document.

36

• This is where a digital certificate might be used
  to verify that it is the right key from the right
  person. Remember that only the public key of the
  signer can be used to decrypt a message that has
  been encrypted using the signers private key,
  thus this serves to verify the identity of the
  signer.

37

• The same message digest function would be run on
  the document itself, yielding a new result. If
  the new result and the decrypted old value are
  the same then this result serves to verify that
  the document is authentic and unaltered.

38

• A digital signature can be more reliable than the
  corresponding traditional signature, as while it
  is possible to forge a hand-written signature, a
  digital signature is much more difficult to
  forge.

39

• By attaching a digital signature to a document it
  is possible for the recipient to confirm the
  authenticity and integrity of the document, and
  verify the identity of the sender with a degree
  of confidence much higher than by using physical
  signatures.

40

• The growing potential for and significance of
  digital signatures was acknowledged in a federal
  law1 that authorized the use of digital
  signatures in a wide range of legally binding
  transactions that would otherwise have required a
  physical written signature. 1 The Electronic
  Signatures in Global and National Commerce Act
  (E-Sign) took effect on October 1, 2000.

41

• The law was motivated by the recognition that the
  use of digital signatures would expedite the
  handling of a wide range of transactions and
  potentially save billions of dollars in
  processing costs associated with traditional
  signature collection methods.

42

• However, the law does include several situations,
  primarily involving life-changing or threatening
  scenarios, where digital signatures are not
  acceptable, including but not limited to the
  following

43

• The creation and execution of wills and trusts
•      Adoptions, divorce, or other matters of
  family law
•    Cancellation or termination of utility
  services (water, heat, power)
•    Actions against the primary residence of an
  individual (eviction, foreclosure, etc.)
•    Cancellation or termination of health or life
  insurance benefits

44

• The use of digital signatures is growing rapidly
  as the number of on-line transactions increases
  and the need to protect and secure these
  transactions becomes more important. Combined
  with the increased efficiency and tremendous cost
  savings involved, it is likely that digital
  signatures will become a routine component of a
  wide range of on-line transactions.

45

• The emerging standard for digital certificates
  can be found in RFC 2459 Internet X.509 Public
  Key Infrastructure Certificate and CRL Protocol.
  Note that the X.509 protocol is not yet a
  standard the details are still undergoing
  development.

46

• A compendium of specific development tasks along
  with target dates and related background
  documents for X.509 and the dozen or so RFCs on
  relevant technical problems can be found at
  http//www.ietf.org/html.charters/pkix-charter.htm
  l.