Posted by arlene

One of the problems with public key systems is that while they allow secure communication between individuals they do not easily allow more public communication: that is, there is no guarantee that the person who purports to issue a particular public key is that person.

The x509.v3 standard

Probably the most popular standard for digital certificates is the x509.v3 standard. This contains all the information that has been detailed above; however, it also defines the ability of digital certificates to contain name/value pairs which help in authentication. For example, a certificate defined by this standard might embed details of which message digest function has been used to create the digital signature of the certificate.

In order to get over this problem digital certificates have been developed. A digital certificate is a document which is issued by a trusted third-party organisation such as a national post office which describes a particular user. The certificate will contain data such as the name of the user, a unique serial number and, of course, the public key used by the person who wishes to carry out communications. The certificate will carry a digital signature written by the organisation which issued the certificate. In order to verify the authenticity of a digital signature the recipient of any data will need to have access to the third party’s public key. Often these are embedded in packaged software such as Web browsers.

Once a certificate has been established all a client has to do to convince itself that it is interacting with a particular entity such as a company, say via a browser, is to carry out the following processes:

Obtain the digital certificate.

• Check that the signature that is provided by the certification authority is valid using the public key employed by the certification authority; often this will be embedded in the browser.
• Use the public key specified in the digital certificate to decrypt any data sent by the organisation that is described by the digital certificate. Often this data might be a key used for symmetric encryption.

As a practical example of this consider the digital certificate associated with a very popular security technology known as the Secure Sockets Layer (SSL), the details of which are presented later. This technology is used to send encrypted messages between a browser and a server, for example credit card details.

When a browser connects to a Web server which uses SSL the first thing that happens is for the server to send to the client a x509.v3 digital certificate which contains the server’s public key. The browser then checks the certificate for integrity, for example checking that it contains the correct signature. If the check is successful the public key embedded in the certificate is then used by the client to decode the initial information that the server sends to establish the dialogue between itself and the browser. A product of this initial information is an agreement to interchange further data, for example financial transactions, using symmetric key encryption and the public key is used to convey all the data required to start up the data interchange process. The reason that SSL does not use public key encryption to transfer data is that the data can be bulky and public key encryption and decryption are very much slower than their symmetric key counterparts.

There are four types of digital certificates that are currently used on the Internet. All conform to the rules of x509.v3.

• Certification authority certificates. These are used to establish the identity of an authority such as the Canadian Post Office which issues digital certificates.
• Server certificates. These identify a server and prove that a particular server is what it purports to be. Such certificates are used in conjunction with technologies such as SSL.
• Personal certificates. These identify individuals.
• Software developer certificates. These are used to sign software that is sold and distributed.

Possibly related posts: (automatically generated)
Internet Security, Public Key Encryption and Digital Certificates

• Internet Key Exchange (IKE)
• Public key Cryptography, when can be seriously Attack
• WEP
• Symmetric and Asymmetric Encryption
• Protocols such as secret communication and digital signatures
• Wireless Security Issues
• Wired Protected Access (WPA), WPA2, and 802.11i
• Secret Cryptosystems of Public Keys
• Data Encryption Standard and Triple Data Encryption Standard
• The Point-to-Point Tunneling Protocol (PPTP)