Digital certificates - PowerPoint PPT Presentation

About This Presentation
Title:

Digital certificates

Description:

Digital certificates We have previously considered topics such as user authentication, document integrity checks, and encryption. The introduction of solutions to ... – PowerPoint PPT presentation

Number of Views:213
Avg rating:3.0/5.0
Slides: 47
Provided by: lew5
Learn more at: https://cs.nyu.edu
Category:

less

Transcript and Presenter's Notes

Title: Digital certificates


1
Digital certificates
2
  • We have previously considered topics such as user
    authentication, document integrity checks, and
    encryption. The introduction of solutions to
    each of these topics serves to improve the
    reliability of networked resources and increase
    our confidence in on-line transactions.

3
  • While these innovations are helpful, they are not
    sufficient to replicate the sort of user
    authentication we would have in face-to-face
    encounters, nor would they irrefutably connect a
    person or business to a particular document or
    transaction, something quite necessary when
    financial transactions are involved or legally
    binding contracts are established.

4
  • in-person authentication process ultimately
    relies on the existence and reliability of
    government-issued identification such as a
    drivers license or passport the government in
    this way serves as an authority that certifies
    identity. These government-issued documents are
    issued based upon yet other documents supplied
    during the application process

5
  • Thus there is a hierarchy of certification that
    reinforces the notion that a drivers license is
    an acceptable form of identification.

6
  • in-person verification can be done in a matter
    of seconds, and becomes a routine affair.
    However, replicating this procedure on-line is
    more difficult. The on-line version cant
    visually compare your face to your ID, nor
    compare your signature to the previously approved
    government-sanctioned version of your signature.

7
  • So what is needed is an on-line mechanism that
    provides a similar sort of assurance from an
    authority that can say, essentially you dont
    know this guy, but I do, and hes okay by me.

8
  • That authority in the on-line environment is
    known as a certificate authority (CA), an
    agency whose integrity must be beyond reproach.

9
  • A certificate authority establishes protocols to
    ascertain the identity of registrants, and
    supports on-line verification that the identity
    has been proven to the CA. The Certificate
    Authority essentially says I checked this person
    out, and verified that he is who he says he is,
    you have my word on it.

10
  • To acquire a digital certificate, an individual
    or organization registers with a certificate
    authority and presents proof of identity. The CA
    requests specific information of the registrant,
    investigates it, and then issues a digital
    certificate that confirms that the CA has
    verified the information independently.

11
  • The certificate would typically include the
    following information
  •    The registrants name
  •   Additional personal information such as an
    e-mail address for a person or a URL for a web
    server
  •     A unique registration number
  •     The name of the certificate authority
  •     The public key of the registrant
  •   Dates that reflect certificate validity (start
    and expiration dates)
  •      A digital signature seal from the CA that
    verifies authenticity of the certificate

12
  • The exchange of digital certificates is a
    facility embedded into web browser functionality,
    such that the existence of certificates is easily
    detected and the certificates are automatically
    exchanged and verified with little or no
    intervention on the part of the user.

13
  • By including the public key of the holder in the
    certificate, secure communications can be
    established even with unknown parties. The
    certificate authority includes its own digital
    signature such that any modifications to the
    certificate, such as changing the expiration date
    or personal data of the holder, are readily
    detected and would thereby invalidate the
    certificate.

14
  • You can readily view a web sites digital
    certificate through the browser whenever the
    lock icon located in the lower portion of the
    browser window is in the closed position. This
    would signify that the link has been encrypted
    using the Secure Sockets Layer (SSL) encryption
    strategy. A graphic image of the digital
    certificate used to help establish the SSL
    connection can be viewed by clicking on the lock
    icon.

15
  • There are three generally accepted levels of
    authentication associated with the certification
    process.

16
  • Level 1 The combination of a user ID and
    password is usually described as level one
    security. As noted in the section on user
    authentication, a user ID and password are not
    sufficiently secure as they dont really
    authenticate users at all.

17
  •    Applications that rely on Level 1 security
    are therefore subject to higher levels of risk
    and increased incidence of fraud. It is possible
    for someone to obtain a Level 1 digital
    certificate, but the certificate would attest to
    little more than the fact that the person paid a
    fee and has an e-mail account.

18
  •   Level 2 The Certificate Authority performs a
    more thorough confirmation of the identity of the
    applicant, typically through arrangements with a
    trusted third party such as a financial
    institution, and in this way can confirm through
    such accounts and cross-references that the
    individual is who they claim to be, and can then
    issue a Level 2 digital certificate.

19
  •   Level 3 Attests that the holder physically
    appeared in person, and presented official
    government-issued identification (thus attaining
    the same degree of authentication as in the bank
    teller example). Level 3 validation may also
    include biometric identification.

20
  • One of the most important and most frequent uses
    of digital certificates is to confirm that a
    particular public key belongs to a specific
    individual or web server, thus inhibiting
    potential misrepresentation or spoofing
    activities.

21
  • A second major use of digital certificates is in
    the verification of digital signatures
  • Digital signatures are used to satisfy the
    on-line requirements for the functions served by
    traditional physical signatures.

22
  • A popular misconception about digital signatures
    is that they are simply the scanned version of
    a physical signature. This notion is reinforced
    when retail stores have their customers sign a
    digital pad rather than a charge slip, and the
    clerks describe the process as a digital
    signature.

23
  • Not to confuse the matter, but a digital
    signature is distinct from a digital signature,
    as we will see.

24
  • A hand-written physical signature is required in
    situations such as financial transactions and
    signing binding commitments wherein the signature
    provides a legally-binding affirmative act that
    serves as non-repudiable evidence that binds the
    signer to the document.

25
  • A digital signature serves much the same
    purpose as a traditional hand-written signature,
    in that it demonstrably connects a person to a
    particular document or transaction. A digital
    signature must therefore satisfy the legal
    expectations for traditional signatures, but also
    meet additional criteria

26
  • 1) It must authenticate the message or document
    so as to ensure its integrity and detect any
    tampering.

27
  • 2) It must authenticate the signer so as to
    verify identity even (particularly) if the signer
    is not present.

28
  • 3) It should provide the affirmative act that
    associates a specific document with a particular
    signer.And all of this must be accomplished in an
    efficient and secure manner.

29
  • The creation of a digital signature involves
    several steps. Recall that in the section on
    document integrity we learned about message
    digest functions.

30
  • Message digest functions are a form of hash
    functions that take a variable length text
    document as input and produce an output that can
    be viewed as relatively unique and distinctive,
    thus serving as a sort of fingerprint of that
    document.

31
  • If even the slightest change is made to the
    document, the message digest output would also be
    changed. A message digest function is used to
    authenticate a document.

32
  • In preparing a digital signature, a particular
    document (or message) is identified, and a
    fingerprint computed using a message digest
    function.

33
  • The private key of the signer is then used to
    encrypt the fingerprint of the document, and by
    so doing serves to authenticate the identity of
    the signer as only the signer would possess the
    private key.

34
  • The document and the associated digital signature
    together form the affirmative act necessary to
    meet legal expectations. The digital signature
    by itself, not connected to the document, is
    meaningless, as the signature is used to connect
    the signer to a specific document.

35
  • The recipient of a digitally signed message can
    then decrypt the signature using the public key
    of the signer, thereby yielding the fingerprint
    of the document.

36
  • This is where a digital certificate might be used
    to verify that it is the right key from the right
    person. Remember that only the public key of the
    signer can be used to decrypt a message that has
    been encrypted using the signers private key,
    thus this serves to verify the identity of the
    signer.

37
  • The same message digest function would be run on
    the document itself, yielding a new result. If
    the new result and the decrypted old value are
    the same then this result serves to verify that
    the document is authentic and unaltered.

38
  • A digital signature can be more reliable than the
    corresponding traditional signature, as while it
    is possible to forge a hand-written signature, a
    digital signature is much more difficult to
    forge.

39
  • By attaching a digital signature to a document it
    is possible for the recipient to confirm the
    authenticity and integrity of the document, and
    verify the identity of the sender with a degree
    of confidence much higher than by using physical
    signatures.

40
  • The growing potential for and significance of
    digital signatures was acknowledged in a federal
    law1 that authorized the use of digital
    signatures in a wide range of legally binding
    transactions that would otherwise have required a
    physical written signature. 1 The Electronic
    Signatures in Global and National Commerce Act
    (E-Sign) took effect on October 1, 2000.

41
  • The law was motivated by the recognition that the
    use of digital signatures would expedite the
    handling of a wide range of transactions and
    potentially save billions of dollars in
    processing costs associated with traditional
    signature collection methods.

42
  • However, the law does include several situations,
    primarily involving life-changing or threatening
    scenarios, where digital signatures are not
    acceptable, including but not limited to the
    following

43
  • The creation and execution of wills and trusts
  •      Adoptions, divorce, or other matters of
    family law
  •    Cancellation or termination of utility
    services (water, heat, power)
  •    Actions against the primary residence of an
    individual (eviction, foreclosure, etc.)
  •    Cancellation or termination of health or life
    insurance benefits

44
  • The use of digital signatures is growing rapidly
    as the number of on-line transactions increases
    and the need to protect and secure these
    transactions becomes more important. Combined
    with the increased efficiency and tremendous cost
    savings involved, it is likely that digital
    signatures will become a routine component of a
    wide range of on-line transactions.

45
  • The emerging standard for digital certificates
    can be found in RFC 2459 Internet X.509 Public
    Key Infrastructure Certificate and CRL Protocol.
    Note that the X.509 protocol is not yet a
    standard the details are still undergoing
    development.

46
  • A compendium of specific development tasks along
    with target dates and related background
    documents for X.509 and the dozen or so RFCs on
    relevant technical problems can be found at
    http//www.ietf.org/html.charters/pkix-charter.htm
    l.
Write a Comment
User Comments (0)
About PowerShow.com