KEYNECTIS - Learn more about PKI

www.keynectis.com > Learn more about PKI

Learn more about PKI

• Digital certificate

What is a digital certificate?

An digital credential that vouches for the holder's identity, a digital certificate has characteristics similar to those of a passport - it has identifying information, is forgery-proof, and is issued by a trusted third party. Digital certificates are published in on-line directories. Typically, a digital certificate contains:
• The user's distinguished name
• The issuing Certification Authority's distinguished name
• The user's public key
• The validity period
• The certificate's serial number
• The issuing Certification Authority's digital signature, verifying the information in the digital certificate

Who needs a digital certificate?

Anyone who intends to conduct business or wants to provide for secure communications and data transmission through their web site should have a digital certificate installed on their web server.

How do digital certificates work?

When a customer visits a web site with a Secure Server ID, their browser will first confirm the identity of the web server. Once confirmed, a secure session (like a private conversation) between the server and browser can begin. By using a public and private key pair, all communications are encrypted by the users browser and decrypted by the web server. This process happens transparently to the user.

How do I know which certificate is best for me?

There are some critical elements to be factored when considering the digital certificates currently on the market. First and foremost is the issuer of the certificate, or the Certificate Authority (CA). You should look for a CA who combines leading encryption technology, robust infrastructure, and rigorous authentication processes to ensure protection of merchants and their customers. Other important factors to consider are the level of encryption the certificate provides, the web browsers it supports, and the geographic distribution of your customer base.

What is the difference between a 128-bit and a 40-bit certificate?

The primary difference between the two is the strength of the Secure Sockets Layer (SSL) session that each enables. The higher the encryption, the more difficult it is to break the code. Most browsers support 40-bit SSL sessions, and the latest browsers enable users to encrypt transactions in 128-bit sessions. As for which certificate option is best for you, consider the amount of secure transactions taking place on your site and their importance in your business. If you own or manage a business that depends on Internet transactions, such as large-scale online merchants, banks, or brokerages, you may find that the added security of a 128-bit certificate is a wise investment.

What is SSL?

SSL is the industry-standard protocol that provides data encryption, server authentication, message integrity, and optional customer authentication for a TCP/IP connection. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on their SSL capabilities.

How many digital certificates do I need?

You will need a unique certificate for each fully qualified domain per server instance. If you are using one fully qualified domain on multiple servers that operate simultaneously (for example, in a load balancing environment) then each individual server will require a unique certificate.

• Public Key Infrastructure (PKI)

What is a Certification Authority (CA)?

A Certification Authority is a trusted third party that verifies the identity of an applicant registering for a digital certificate. Once a Certification Authority is satisfied as to the authenticity of an applicant's identity, it issues that person a digital certificate binding his or her identity to a public key.

What is a Public Key Infrastructure?

A PKI is a comprehensive system of policies, processes, and technologies working together to enable users of the Internet to exchange information securely and confidentially. Public Key Infrastructures are based on the use of cryptography - the scrambling of information by a mathematical formula and a virtual key so that it can only be decoded by an authorized party using a related key. A PKI uses pairs of cryptographic keys provided by a trusted third party known as a Certification Authority (CA). Central to the workings of a PKI, a CA issues digital certificates that positively identify the holder's identity. A Certification Authority maintains accessible directories of valid certificates, and a list of certificates it has revoked.

What are the security services PKI provides?

PKI brings to the digital world the security and confidentiality features provided by the physical documents, hand-written signatures, sealed envelopes and established trust relationships of traditional, paper-based transactions. These features are:
• Confidentiality: ensures than only intended recipients can read files
• Data integrity: ensures that files cannot be changed without detection
• Authentication: ensures that participants in an digital transaction are who they claim to be
• Non repudiation: prevents participants from denying involvement in an digital transaction

What are the main elements of a PKI?

A PKI includes:
• A Certification Authority
• Digital certificates
• Mathematically related key pairs, each comprising a private key and a public key
These elements work within a formal structure defined by:
• Certificate Policies
• A Certification Practice Statement

What are public and private keys, and what is their relationship?

A PKI uses asymmetric cryptography to encrypt and decrypt information. In asymmetric cryptography, encryption is done by a freely available public key, and decryption is done by a closely guarded private key. Although the public and private keys in a particular key pair are mathematically related, it is impossible to determine one key from the other. Each key in an asymmetric key pair performs a function that only the other can undo.

What is a Certificate Policy (CP)?

Certification Authorities issue digital certificates that are appropriate to specific purposes or applications. Certificate Policies describe the rules governing the different uses of these certificates.

What is a Certification Practice Statement (CPS)?

A Certification Practice Statement is a comprehensive statement of the practices a Certification Authority follows in issuing digital certificates. It describe the precise practices for issuing, suspending, revoking and renewing digital certificates, and is more detailed than the Certification Authority's Certificate Policies. Certification Statements are detailed instructions for implementing the rules described in Certificate Policies.

• Cryptography

What is cryptography?

Cryptography is a science intended to convert unencrypted information or signals into information or signals using secret conventions called keys, such that the information or signals are unintelligible to third parties who are not aware of the secret used to convert the signals, or to perform the reverse operation using hardware or software means designed for this purpose.
Cryptography is useful for detecting loss of data integrity, authenticating players and protecting confidential information.

What is a public key?

A distinction is made between two types of cryptography, namely, firstly symmetric cryptography called secret key cryptography, and, secondly, asymmetric cryptography or public key cryptography. The principle of secret key cryptography is to use a single secret or a single key to encrypt and decrypt information. Public key cryptography uses different keys in transmission and in reception. However, the pair of keys used is cryptographically inseparable; it comprises a private part that is secret and a public part that does not need to be confidential. This pair of keys is called a dual key.

How is public key cryptography used to encrypt information?

When several users use cryptography to secure their exchanges, they share the same secret key. A single user may communicate with different groups that must not share the same secret, because they do not access the same type of information. This leads to the use of a large number of keys, as soon as this scheme is extended to a large user community. Secret key management, which is the guarantee of their confidentiality and integrity, then becomes difficult in terms of resources and organisation. These problems can be solved by public key cryptography to the extent that each user has one and only one private key. Thus, when a user wants to establish a secret convention, they use their contact's public key and set up an asymmetric cryptographic mechanism.

What is encryption?

Encryption is the process of using a mathematical formula and an encryption key to scramble information so that is unintelligible to unauthorized persons. Since digital information is in the form of a series of ones and zeros, an encryption process can transform a particular digital message into another sequence of ones and zeros that is uniquely related to the original message

What is decryption?

Decryption is the process of converting the scrambled information back to its original, plain text form using the same mathematical formula and a decryption key related to the encryption key so an authorized person can understand it.

How does a PKI ensure data confidentiality?

Users' public keys are published in an accessible directory. A person wishing to send an encrypted message uses the recipient's public key to scramble the information in the message. Only the recipient's private key can decrypt the message.
So, if Bob wants to send a confidential message to Alice, his PKI software finds Alice's public key in the directory where it is published, and he uses it to encrypt his message. When Alice receives the encrypted message, she uses her private key to decrypt it. Because Alice keeps her private key secret, Bob can be assured that, even if his message were to be intercepted; only Alice can read it.

What happens if I lose my secret key?

If the secret key is lost, there is no way to recover it. That also means you will lose the ability to decrypt the messages that were encrypted using your public key. There is no remedy of this situation. Similarly if you forget your pass phrase, there is also no way to recover it.

How should I protect my private key?

Protect your computer from unauthorized access by keeping it physically secure. Use access control products or operating system protection features (such as a system password). Take measures to protect your computer from viruses, because a virus may be able to attack a private key. Always chose to protect your private key with a good password.

• Digital signature

What is a digital signature?

Not to be confused with a digitized signature (a scan of a hand-written signature), a digital signature can be used with either encrypted or unencrypted messages to confirm the sender's identity and ensure the recipient that the message content has not been changed in transmission. Digital signatures incorporate the characteristics of hand-written signatures in that they can only be generated by the signer, are verifiable, and cannot easily be imitated or repudiated.

How does a digital signature work?

Suppose that the famous Bob and Alice wish to correspond digitalally. Bob wants to assure Alice that he originated the digital message, and that its contents have not been tampered with. He does so by signing the message with a digital signature.
When Bob clicks on the digital signature option on his e-mail application, special software applies a mathematical formula known as a hash function to the message, converting it to a fixed-length string of characters called a message digest. The digest acts as a "digital fingerprint" of the original message. If the original message is changed in any way, it will not produce the same message digest when the hash function is applied. Bob's software then encrypts the message digest with his private key, producing a digital signature of the message. He transmits the message and digital signature to Alice.
Alice uses Bob's public key to decrypt the digital signature, revealing the message digest. Since only Bob's public key can decrypt the digital signature, she is able to verify that Bob was the sender of the message. This verification process also tells Alice's software which hash function was used to create the message digest of Bob's original message. To verify the message content, Alice's software applies the hash function to the message she received from Bob. The message digests should be identical. If they are, Alice knows the message has not been changed and she is assured of its integrity. (If Bob had wanted to ensure the confidentiality of his message, he could have encrypted it with Alice's public key before applying the hash function to the message.)
The best thing about all these encryption, decryption, verifying and authenticating processes is that special software does them all transparently, so that Bob and Alice receive the assurances they need without having actually to engage in computations themselves

What is a Time stamp?

A timestamp is the digital proof that objectively enables to detect the creation time of certain data.
To get a timestamp, the party that is interested in proving the creation time of the data, sends a cryptographic code to the time stamping service provider (TSP). Finding two data collections with a similar cryptographic code needs tremendous computing power, unavailable to any modern computer or computer network. The service provider returns a digitally signed proof that proves the existence of the said data collection. Since the time stamping authority sees only a cryptographic code, the confidentiality of the data is retained.

What is a qualified certificate?

It is a certificate complying to the Digital Signature Act, issued by a qualified provider. A digital signature created with it is as binding as one written by hand. Requirements of the Act and related by-laws concern sensible data protection level, uniqueness of certain data, strictness of subscriber verification etc.