echnology Overview

This guide is a brief introduction to Digital Certificate and PKI technologies.

Digital Certificates are a means by which consumers and businesses can utilise the security
applications of Public Key Infrastructure (PKI). PKI comprises of the technology to
enables secure e-commerce and Internet based communication.

Why is security needed on the Internet?

The number of people and businesses online is continuing to increase. As access becomes
faster and cheaper such people will spend even more time connected to the Internet for
personal communication and business transactions.

The Internet is an open communications network that was not originally designed with
security in mind. Criminals have found they can exploit its vulnerabilities for fraudulent gain.
If the Internet is to succeed as a business and communications tool users must be able to
communicate securely.

What does security provide?

Identification / Authentication:
The persons / entities with whom we are communicating are really who they say they are.

Confidentiality:
The information within the message or transaction is kept confidential. It may only be read
and understood by the intended sender and receiver.

Integrity:
The information within the message or transaction is not tampered accidentally or
deliberately with en route without all parties involved being aware of the tampering.

Non-Repudiation:
The sender cannot deny sending the message or transaction, and the receiver cannot deny
receiving it.

Access Control:
Access to the protected information is only realized by the intended person or entity.

All the above security properties can be achieved and implemented through the use of Public
Key Infrastructure (in particular Digital Certificates).
Next >

What is PKI?

Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies
that collectively provide a framework for addressing the previously illustrated fundamentals
of security - authentication, confidentiality, integrity, non-repudiation and access control.

PKI enables people and businesses to utilise a number of secure Internet applications. For
example, secure and legally binding emails and Internet based transactions, and services
delivery can all be achieved through the use of PKI.

PKI utilises two core elements; Public Key Cryptography and Certification Authorities.
Encryption and Decryption
The benefits of PKI are delivered through the use of Public Key Cryptography. A core aspect
of Public Key Cryptography is the encryption and decryption of digital data.

Encryption is the conversion of data into seemingly random, incomprehensible data. Its
meaningless form ensures that it remains unintelligible to everyone for whom it is not
intended, even if the intended have access to the encrypted data.

The only way to transform the data back into intelligible form is to reverse the encryption
(known as decryption). Public Key Cryptography encryption and decryption is performed
with Public and Private Keys.

Public Key and Private Keys

The Public and Private key pair comprise of two uniquely related cryptographic keys
(basically long random numbers). Below is an example of a Public Key:

3048 0241 00C9 18FA CF8D EB2D EFD5 FD37 89B9 E069 EA97 FC20 5E35 F577 EE31
C4FB C6E4 4811 7D86 BC8F BAFA 362F 922B F01B 2F40 C744 2654 C0DD 2881 D673
CA2B 4003 C266 E2CD CB02 0301 0001

The Public Key is what its name suggests - Public. It is made available to everyone via a
publicly accessible repository or directory. On the other hand, the Private Key must remain
confidential to its respective owner.

Because the key pair is mathematically related, whatever is encrypted with a Public Key may
only be decrypted by its corresponding Private Key and vice versa.

For example, if Bob wants to send sensitive data to Alice, and wants to be sure that only Alice
may be able to read it, he will encrypt the data with Alice's Public Key. Only Alice has access
to her corresponding Private Key and as a result is the only person with the capability of
decrypting the encrypted data back into its original form.
As only Alice has access to her Private Key, it is possible that only Alice can decrypt the
encrypted data. Even if someone else gains access to the encrypted data, it will remain
confidential as they should not have access to Alice's Private Key.

Public Key Cryptography can therefore achieve Confidentiality. However another important
aspect of Public Key Cryptography is its ability to create a Digital Signature.

Digital Signatures
1. Resources

2. Small Business

3. Digital Certificates

Home & Home Office

Ecommerce

Small and Medium Business

o White Papers

o Case Studies

o Product Trials

o Knowledgebase Index

o Knowledgebase Article

o Videos

o Products

Large Enterprise

Partners

Digital Signatures apply the same functionality to an e-mail message or data file that a
handwritten signature does for a paper-based document. The Digital Signature vouches for
the origin and integrity of a message, document or other data file.

How do we create a Digital Signature?

The creation of a Digital Signature is a complex mathematical process. However as the
complexities of the process are computed by the computer, applying a Digital Signature is no
more difficult that creating a handwritten one!

The following process illustrates in general terms the processes behind the generation of a
Digital Signature:

1. Alice clicks 'sign' in her email application or selects which file is to be signed.
2. Alice's computer calculates the 'hash' (the message is applied to a publicly known
mathematical hashing function that coverts the message into a long number referred to as the
hash).
3. The hash is encrypted with Alice's Private Key (in this case it is known as the Signing Key)
to create the Digital Signature.
4. The original message and its Digital Signature are transmitted to Bob.
5. Bob receives the signed message. It is identified as being signed, so his email application
knows which actions need to be performed to verify it.
6. Bob's computer decrypts the Digital Signature using Alice's Public Key.
7. Bob's computer also calculates the hash of the original message (remember - the
mathematical function used by Alice to do this is publicly known).
8. Bob's computer compares the hashes it has computed from the received message with the
now decrypted hash received with Alice's message.

Represented diagrammatically:

If the message has remained integral during its transit (i.e. it has not been tampered with),
when compared the two hashes will be identical.

However, if the two hashes differ when compared then the integrity of the original message
has been compromised. If the original message is tampered with it will result in Bob's
computer calculating a different hash value. If a different hash value is created, then the
original message will have been altered. As a result the verification of the Digital Signature
will fail and Bob will be informed.

Origin, Integrity and Non-Repudiation:

Trent, who wants to impersonate Alice, cannot generate the same signature as Alice because
she does not have Alice's Private Key (needed to sign the message digest). If instead, Trent
decides to alter the content of the message while in transit, the tampered message will create
a different message digest to the original message, and Bob's computer will be able to detect
that. Additionally, Alice cannot deny sending the message as it has been signed using her
Private Key, thus ensuring non-repudiation.

Due to the recent Global adoption of Digital Signature law, Alice may now sign a transaction,
message or piece of digital data, and so long as it is verified successfully it is a legally
permissible means of proof that Alice has made the transaction or written the message.

Previously we referred to Public Keys being available to everyone, the next question is how
do we go about making them available to everyone in a safe, secure and scalable way?
Generally speaking we use small data files known as Digital Certificate.

What is a Digital Certificate, and why do you need one?

A Digital Certificate is a digital file used to cryptographically bind an entity's Public Key to
specific attributes relating to its identity. The entity may be a person, organisation, web entity
or software application. Like a driving license or passport binds a photograph to personal
information about its holder, a Digital Certificate binds a Public Key to information about its
owner.

In other words, Alice's Digital Certificate attests to the fact that her Public Key belongs to
her, and only her. As well as the Public Key, a Digital Certificate also contains personal or
corporate information used to identify the Certificate holder, and as Certificates are finite, a
Certificate expiry date.
Digital Certificates and Certification Authorities
Digital Certificates are issued by Certification Authorities (CA). Like a central trusted body is
used to issue driving licenses or passports, a CA fulfil the role of the Trusted Third Party by
accepting Certificate applications from entities, authenticating applications, issuing
Certificates and maintaining status information about the Certificates issued.

The incorporation of a CA into PKI ensures that people cannot masquerade on the Internet as
people they are not by issuing their own fake Digital Certificates for illegitimate use.

The Trusted Third Party CAs will verify the identity of the Certificate applicant before
attesting to their identity by Digitally Signing the applicant's Certificate. Because the Digital
Certificate itself is now a signed data file, its authenticity can be ascertained by verifying its
Digital Signature. Therefore, in the same way we verify the Digital Signature of a signed
message, we can verify the authenticity of a Digital Certificate by verifying its signature.

Because CAs are trusted, their own Public Keys used to verify the signatures of issued Digital
Certificates are publicised through many mediums widely.

The CA provides a Certification Practice Statement (CPS) that clearly states its policies and
practices regarding the issuance and maintenance of Certificates within the PKI. The CPS
contains operational information and legal information on the roles and responsibilities of all
entities involved in the Certificate lifecycle (from the day it is issued to the day it expires).

Digital Certificates are issued under the technical recommendations of the x.509 Digital
Certificate format as published by the International Telecommunication Union-
Telecommunications Standardization Sector (ITU-T).