Digital certificates are issued by a trusted third party known as a certification authority (CA). The CA validates the identity of a certificate holder and "signs" the certificate to attest that it hasn't been forged or altered in any way.
When a certificate is digitally signed by a CA, its owner can use it as an electronic passport to prove his identity. It can be presented to Web sites, networks or individuals that require secure access.
Identifying information embedded in the certificate includes the holder's name and e-mail address, the name of the CA, a serial number and any activation or expiration data for the certificate. When a user's identity is verified by the CA, the certificate uses the holder's public encryption key to protect this data.
Public keys are also employed by certificates that a Web server uses to confirm the authenticity of a Web site for a user's browser. When a user wants to send confidential information to a Web server, such as a credit-card number for an online transaction, the browser will access the public key in the server's digital certificate to verify its identity.
|New Uses For Digital CertificatesDigital certificates are now being used to provide security and validation for wireless connections, and hardware manufacturers are one of the latest groups to use them. Last month, VeriSign Inc. in Mountain View, Calif., announced its Cable Modem Authentication Services, which allow hardware manufacturers to embed digital certificates into cable modems to help prevent the pirating of broadband services through device cloning.
Using VeriSign software, hardware makers can generate cryptographic keys and corresponding digital certificates that manufacturers or cable service providers can use to automatically identify individual modems. "It appears that this is the very first time that certificates are being used at the point of manufacture in electronics products, where they are burned right into the read-only memory of [a] cable modem," says analyst Michael Harris, president of Kinetic Strategies Inc. in Phoenix.
According to VeriSign, the Data Over Cable System Interface Specification standard, which calls for the embedding of digital certificates in cable modems, sets the stage for next-generation broadband services such as pay-per-view, digital rights management and online software delivery and ensures interoperability among products from cable modem manufacturers and operators.
"This 'last-mile' authentication not only protects the value of existing content and services but also positions cable system operators to bring a broad new range of content, applications and value-added services to market," says Stratton Sclavos, president and CEO of VeriSign.
Public-key cryptography uses matched public and private keys for encryption and decryption. These keys have a numerical value that's used by an algorithm to scramble information and make it readable only to users with the corresponding decryption key.
A person's public key is used by others to encrypt information meant only for that person. When he receives the information, he uses his corresponding private key, which is kept secret, to decrypt the data. A person's public key can be distributed without damaging the private key.
A Web server using a digital certificate can use its private key to make sure that only it can decrypt confidential information sent to it over the Internet.
The CA certificate tells users whether they can trust the Web server certificate when it's presented to the browser. If the validity of the Web server certificate is affirmed, the certificate's public key is used to secure information for the server using Secure Sockets Layer (SSL) technology.
Digital certificates are used by the SSL security protocol to create a secure "pipe" between two parties that seek confidential communication. SSL is used in most major Web browsers and commercial Web servers.
Hello and a Handshake
If a purchaser wants to connect to a Web site secured with SSL, his browser sends a "client hello" message to the Web server, requesting an SSL secured session. The Web server replies by sending the purchaser its server certificate.
The purchaser's browser will verify that the server's certificate is valid and signed by a trusted CA. The process of confirming that two entities want to establish a secure SSL connection is known as the SSL "handshake."
To initiate the handshake, the purchaser's browser will generate a unique, one-time session key encrypted with the server's public key and send the encrypted session key to the server. The server recovers the session key and decrypts the message using its private key.
This exchange verifies the identity of the Web site and ensures that only the browser and the Web server have a copy of the session key. The Web server then uses the session key to send encrypted information to the purchaser.
When the browser is in normal mode, a key or padlock icon in the lower corner of the browser looks broken or open. When an SSL connection has been established and the browser is in secure mode, the key becomes whole and the padlock is closed.