In this article we will talk about What is a Digital Certificate?, and in previous article we already discussed about Cyber Laws and Liability.
A digital certificate is equivalent to an electronic passport. They enable users, hosts, and organizations to exchange information securely over the Internet. Specifically, a digital certificate authenticates and verifies that users sending a message are who they claim to be. Digital certificates can also provide confidentiality for the receiver with the means to encrypt a reply.
Digital certificates are similar to physical certificates. For example, the paper-based Cisco Certified Network Associate Security (CCNA-S) certificate, the Certificate Authority (who authorized the certificate), and for how long the certificate is valid.
In this scenario, Bob is purchasing an online item from Alice’s website. Bob’s browser will use Alice’s digital certificate to ensure he is actually shopping on Alice’s website and to secure traffic between them.
Step 1: Bob decides to buy something on Alice’s website and clicks on “Proceed to Checkout”. His browser initiates a secure connection with Alice’s web server and displays a lock icon in the security status bar.
Step 2: Alice’s web server receives the request and replies by sending its digital certificate containing the web server public key and other information to Bob’s browser.
Step 3: Bob’s browser checks the digital certificate against stored certificates and confirms that he is indeed connected to Alice’s web server. Only trusted certificates permit the transaction to go forward. If the certificate is not valid, then communication fails.
Step 4: Bob’s web browser creates a unique session key that will be used for secure communication with Alice’s web server.
Step 5: Bob’s browser encrypts the session key using Alice’s public key and sends it to Alice’s web server.
Step 6: Alice’s web server receives the encrypted message from Bob’s browser. It uses its private key to decrypt the message and discover the session key. Future exchange between the web server and browser will now use the session key to encrypt data.
On the Internet, continually exchanging identification between all parties would be impractical. Therefore, individuals agree to accept the word of a neutral third party. Presumably, the third party does an in-depth investigation prior to the issuance of credentials. After this in-depth investigation, the third party issues credentials that are difficult to forge. From that point forward, all individuals who trust the third party simply accept the credentials that the third party issues.
In this process, she submits evidence of her identity, such as birth certificate, picture ID, and more to a government-licensing bureau. The bureau validates Alice’s identity and permits Alice to complete a driver’s examination. Upon successful completion, the licensing bureau issues Alice a driver license. Later, Alice needs to cash a check at the bank. Upon presenting the check to the bank teller, the bank teller asks her for ID. The bank, because it trusts the government-licensing bureau, verifies her identity and cashes the check.
Certificate Authority (CA)
A certificate authority (CA) functions the same as the licensing bureau. The CA issues digital certificates that authenticate the identity of organizations and users. These certificates also sign messages to ensure that no one tampered with the messages.
As long as a digital certificate follows a standard structure, any entity can read and understand it regardless of the issuer. X.509 is a standard for a public key infrastructure (PKI) to manage digital certificates. PKI is the policies, roles, and procedures required to create, manage, distribute, use, store, and revoke digital certificates. The X.509 standard specifies that digital certificates contain the standard information.
Browsers and applications perform a validation check before they trust a certificate to ensure they are valid. The three processes include the following:
- Certificate Discovery validates the certification path by checking each certificate starting at the beginning with the root CA’s certificate
- Path Validation selects a certificate of the issuing CA for each certificate in the chain
- Revocation determines whether the certificate was revoked and why
An individual gets a certificate for a public key from a commercial CA. The certificate belongs to a chain of certificates called the chain of trust. The number of certificates in the chain depends on the hierarchical structure of the CA.
There is an offline Root CA and an online subordinate CA. The reason for the two-tier structure is that X.509 signing allows for easier recovery in the event of a compromise. If there is an offline CA, it can sign the new online CA certificate. If there is not an offline CA, a user has to install a new root CA certificate on every client machine, phone, or tablet.