What Are Digital Certificates?
Digital certificates are a ubiquitous feature of the digital world; everyone has seen the little lock icon in the corner of their web browser’s address bar indicating that a website is using a trusted digital certificate. But what is a digital certificate and why should you care?
A digital certificate (also known as a Public Key Certificate or Identity Certificate) is a type of digital document that is attached to other documents or digital communications to prove identity, facilitate secure communications, and ensure data integrity on the internet and other network environments.
What Do Digital Certificates Do?
Digital certificates have a variety of uses in securing and verifying digital information, including:
Digital certificates are unique to the entity that they are issued to and can be used to prove that the entity is what it claims to be. Prior to issuing a certificate, a 3rd party service provider, called a Certificate Authority (CA), validates the owner’s identity and right to use the name or other identifying criteria associated with the certificate. Certificate Authorities also provide mechanisms by which the public can verify that a certificate was issued by that CA and is valid.
The most visible example of digital certificates being used for Identity Verification is the lock icon in web browsers that indicates a site is using a valid SSL Certificate (a type of digital certificate). Clicking the lock icon and viewing the certificate properties reveals who the holder claims to be, who certified that the holder is who they claim to be, the mechanisms used to verify the certificate’s authenticity, the ways the certificate may be used and more.
In the digital world, confidentiality means encryption, which is scrambling data in such a way that unauthorized entities cannot use it, but authorized entities can. Digital certificates can be used to generate unique encryption codes that only the sender and the intended recipient can use, thus preventing unauthorized entities from being able to read or use that data. This is a somewhat less visible, but arguably more common, use for digital certificates than Identity Verification.
Digital certificates include a very large number, called a Public Key, that is used to encrypt data in such a way that only an entity that also knows another very large number, called a Private Key, can unscramble the message. The relationship between the numbers in the Public and Private keys is so incredibly difficult to determine, that it would take many years to calculate the correct way to decipher an encrypted message. This type of encryption can be used not only for data in transit over the Internet or other networks, but also for data “at rest” on a computer or “in the cloud”.
Digital certificates can be used to enforce restrictions on access to digital information; only the certificate holder or an authorized delegate will be granted access. This is commonly seen with “Smart Card” authentication systems, which require a user to not only know a valid user ID and password combination, but also a possess a specialized certificate. This serves as an extra layer of identity verification.
The Public and Private keys of a digital certificate can be combined with a digital message or document in such a way as to create a digital signature that is unique to that message or document. Recalculating the signature at a later time and comparing it to the original can prove that the object has or has not been changed.
“Non-Repudiation” is a legal term that refers to situations where the author of a statement or contract cannot plausibly deny making the statement or contract, such as having a signature witnessed and verified by a Notary or Officer of the Court. In the digital world, certificates can be used to “sign” a document or message with a unique signature. Since only the holder of the certificate could create that signature, it is possible to prove that the certificate holder did sign the document or message. This goes hand-in-hand with Identity Verification and Tamper Detection.
How Do Digital Certificates Work?
Here is one example of an everyday use of digital certificates to secure communications against impersonation, eavesdropping and tampering:
- A typical internet user browses to an eCommerce website to purchase a widget.
- The user’s computer sends a request to the eCommerce server asking that it prove its identity.
- The eCommerce server replies with a copy of its digital certificate, including its Private Key.
- (Identity Verification) The user’s computer examines the certificate, determines who issued it, checks the claimed identity against the requested identity, and determines if it is valid and trustworthy.
- (Confidentiality) The user’s computer uses the eCommerce server’s Public Key to encrypt a message that contains some identity and random information generated by the user’s computer.
- The eCommerce server decrypts the message using its Private key and examines the content.
- The user’s computer and the eCommerce server independently calculate a new encryption key (the “Session Key”) using previously exchanged data. This key is independent of the Public and Private keys and is only used for the duration of the current session. Further, this Session Key does not need to be exchanged between the computers and is never sent over the network in any form. Assuming both computers have exchanged accurate information up to this point and successfully decrypted it, they will both calculate the same Session Key.
- (Tamper Detection and Non-repudiation) The eCommerce server sends an acknowledgement encrypted with the Session Key, and digitally signs the message with its own Private Key.
- The user’s computer validates the message signature using the server’s Public Key, then decrypts the message using the Session Key. If the decrypted message is the expected reply, a secure session is established.
- From this point until the session is complete, all communication between the user’s computer and the eCommerce server is encrypted and digitally signed, ensuring that the customer’s account and credit card information, product selections and shipping details are protected from disclosure.
How Do I Obtain a Digital Certificate?
Digital certificates can be purchased from a variety of vendors and can be tailored to suite your business needs. For assistance in determining the right digital certificate for your business, contact our specialists for a consultation.