To understand digital certifications, one must first understand digital signatures. A digital signature is one way to verify the sender of the message/document. This is done asymmetrically by using the sender’s private key to encrypt a digest of the original message. The basics are as follows:
- A message is created by the sender
- A hash digest of that message is created
- The digest is encrypted with the private key
- Both the message, the hashed digest and hash algorithm used is sent over
When the intended receiver gets the message, the message will be decrypted using the sender’s public key. Using the hash algorithm, the original message can be hashed to see if it matches the digest sent over. If the digest matches the hash created by the receiver then it is assumed that the message was not tampered with. If the receiver could not decrypt the message, then it is acknowledged that the message did not come from the appropriate sender. Thus, digital signatures are able to prove to the receiver that the message was encrypted using the expected sender’s private key.
Digital Certifications subsist because digital signatures can not truly verify that the sender is physically who they said they are. As an analogy, I can knock on Derek Jeter’s door and claim that my name is Ravel Charles. While my name is actually Ravel Charles, if it was his first encounter with me, he may not trust me. However, if he looked at the class roster and saw my name and photo as Ravel Charles he will then trust that I am who I said I am. This is because my identity has been confirmed by a trusted third party, in this case Northeastern University. Digital Certifications are actually managed by Certificate Authorities (CA) who actually go through the process of registering, certifying and maintaining record of the owners of various public keys. In contrast, an Registration Authority (RA) is in charge or registering and verifying the identity of the person requesting a certificate. Thus, the basis of a digital certification is to verify the actual owners of the public keys that are present on the internet.
There are various types of digital certifications that are popular in the industry. These include personal, server, and software publisher digital certificates. Personal certifications are issued by RA directly to the requester. These are typically used for email purposes. Software publisher certificates are issued by software publishers who aim to show that their programs are not tampered with. Server Certifications are given by the web server to the client to ensure that the webserver is authentic and to verify the owner of the server. As an example, northeastern.edu has a digital certificate that is trusted by a CA. Thus, a user that logs on to that website can rest assure that only the data transmitted on that website will be used by the owners listed on the certificate. Also, digital certificates is a way to start the encryption process of data being transferred from one place to another. The process is outlined below:
- Client sends “Hello” to web server, along with list of algorithms that could be used to encrypt messages
- Web server sends “Hello” back along with which algorithm will be used and a server certificate to authenticate itself.
- The Client acknowledges the certificate, makes sure it is not expired, and extracts the public key from it. As well, the Client generates a random message (pre-master secret), encrypts it with the public key and sends it back to the web server.
- The web server decrypts the pre-master secret with its private key. Now both the client and server have the same pre-master secret, they can both create a unique master secret. This is then used to create a session-key, which uses symmetric keys to encrypt and decrypt data exchanged in the session.
In general, certificates help verify and authenticate users during the symmetric encryption process. The padlocks that is seen on websites indicate that the use of a certificate that verifies the identity and also encrypts information sent to and from users. The handling of the public keys used in digital certificates can be described as Public Key Infrastructure (PKI)