Monday, 17 March 2014

Digital Certificates

We discussed digital signatures in my previous post. Digital signatures involves two keys:
  1. Public key 
  2. Private key
Private key is supposed to be kept private and is never disclosed, on the other hand public key can be distributed as widely as owner wants.

The distribution of public key causes security issues of its own.

Suppose you want to get Alice's public key, what options do you have ?
  1.  If you know him personally you can invite him over tea or call him directly to get his public key.
  2. If Alice is unknown, you can take his public key from his website.
  3. Drop  him an email to send his public key to you 
  4. Or you can google it.

Issue with Public Key distribution

But the problem is that how do you know that the public key you receive is really the public key of Alice ?

The difficulty of public key distribution is that no matter what means of communication you use, the public key can be potentially tampered with.
For e.g. if you visit Alice website, someone can intercept the web page and change the key en route to your browser.
If someone, lets say John is able to successfully replace Alice's public key with his own, he can pretend to be Alice and can take advantage of trust you place in Alice's signature.

Certificate Authorities

To address these difficulties of public key distribution several certificate authorities (CAs) have been established for the purpose of vouching for public keys.

To get a drivers license you typically apply to a Govt agency like department of motor vehicles which verify your identity , your ability to drive, you address and other information before issuing a license. To get a student ID, you apply to school or college , which performs different checks (if you have paid tuition fees, your class etc) before issuing you the ID.

Certificates work much the same way as any of these familiar forms of identification. Certificate Authorities are entities that validate identities and issue certificates.

So Alice can go to a Certificate Authority, complete their formalities to prove that he is indeed Alice.
CAs can use different methods to validate the identity of individuals based on their policies.

There are many CAs to choose from :

What does certificate contains ?

Digital certificate contains following information:
  1. Name of the entity it identifies
  2. Public key of entity
  3. Digital Signature of CA
  4. Expiration Date of certificate
  5. Name of the CA that issued it
  6. Serial number etc.

How is a certificate created ?

The certificate issued by CA binds identity information (i.e. name of the entity like employee, server, company etc) of entity with entities public key.

CA takes entity's identity information, entity's public key and name of CA itself , creates a message digest out of this information and signs it with its own private key. The end product is called Digital Certificate.


How it works ?

Coming back to our original problem, distributing public key for Alice.
Now Alice has obtained a certificate from CA. You can get Alice certificate from any medium email, website etc. Once you get the certificate you decrypt it with CAs public key and you will get Alice public key

As the certificate is signed with CAs private key, you can verify the validity of certificate if you are able to decrypt it using CAs public key, as only the certificate signed by CAs private key can be decrypted by its public key.

The only question now remains, where to get CAs public key ?

Well you need not to worry for that, CAs public key is already available on your system. For e.g. browsers/OS already have public key for CAs embedded in them.

So using digital certificates, one can distribute his public key without the risk of someone using fake public keys for impersonation.

1 comment:

  1. The concept of digital certificates seems to be very similar to the very basic rules of cryptography, without much sophistication.