Matthew Weaver Computer Science December 4, 2008 Digital Certificates Due to the flourishing nature of electronic trading over the past decade or so and the increasing need to perform secure transactions online comes the introduction of digital certificates. They are essentially trusted identification cards like passports or drivers licenses that are in electronic format binding a websites public key to their identity. Based around asymmetric or public key cryptography, digital certificates ensure that the public key contained within the certificate actually belongs to the entity for which the certificate was issued. Certificates are issued by a Certificate Authority (CA), a trusted third party provider able to verify the matching of public keys to identity, email addresses, or other forms of information. Without a certificate, there is not much in way of assurance to the public that the website in question in legitimate. However, certificates in themselves are only useful as long as the subject of the certificate trusts the CA. Currently digital certificates are based around the X.509V3 certificate standard, which in length equivalents to meaning the 3rd version of the International Telecommunication Union Telecommunication Standardization Sector recommendation X.509 for certificate syntax and format. Each certificate usually contains at least the following information: Subjects’ public key value, Subjects’ identifier information such as names or email addresses, Time period for which the certificate is valid, issuer identification information, and the Issuers’ digital signature which confirms the trust between the subjects’ public key and the subjects’ identification information. A benefit of using digital certificates is that hosts no longer need to maintain passwords for individual subjects who need authenticated for access. (1) Each certificate goes through what is called the certification path from the Root Certification Authority (CA) to the final user. Certificates also have what are called life cycles. This includes CA’s being installed and having certificates issued to them, certificates issued by CA’s, certificates revoked or renewed whenever necessary, and CA certificates renewed or expired when necessary. Subjects or CA’s have the option of renewing their certificates at the end of the issued certificates lifetime until the certificate is revoked or expired. Each lifetime differs depending on various considerations such as User trust, Risk of attack, or how much effort you are willing to put into renewing certificates. The longer the certificates are valid, the greater the risk to a security compromise. There are four main categories of digital certificates that are used currently on the internet. These are Personal Certificates, Server Certificates, Software Publisher Certificates, and lastly Certificate Authority Certificates. Personal Certificates are used to identify to a person and may be used to authenticate users with a server or enable secure email. It’s recommended that users backup these types of certificates to a safe location in case they become damaged. If they do become damaged for some reason, the certificate will no longer be available for use and create an error message whenever a user attempts to use their secure email. A Server Certificate is used to identify servers partake in secure communications between other computers. They allow a server to verify its identification to other clients. A Software Publisher Certificate informs users whether the issuer is part of the infrastructure of trusted publishers and CA’s. This type of certificate signs software to be distributed throughout the internet. Microsoft ActiveX and other forms of compiled code require to be signed by a trusted software publisher certificate. In the Internet Explorer browser to view a list of trusted publishers, under the Tools menu click Internet Options, click the Content tab, finally click Publishers. Lastly are the Certificate Authority Certificates. Microsoft separates Certificate Authorities into two categories, Root Certification Authorities and Intermediate Certification Authorities. Root certificates are self-signed meaning that the subject of the certificate is also the signer. Root Certification Authorities can assign certificates to Intermediate Certification Authorities who can issue server certificates, personal certificates, software publisher certificates, or certificates for other Intermediate Certification Authorities. Intermediate Certificates go between server certificates and root certificates. (3) One might go and ask how an individual would go about acquiring one of these certificates. The first step is the key generation which means an individual requests a key pair of public and private keys. Next comes the matching of policy information which means the subject filing for the certificate puts together any information necessary for the certificate authority to issue the certificate. The applicant then sends the public keys and information to the certificate authority. Using the information sent, the Certificate Authority uses whatever policy rules it needs to in order to undoubtedly verify that the information given is correct and matches with the applicant. Once verified, the Certificate Authority creates the certificate with the necessary information on it and signs it with its own private key. The Certificate Authority may then either send the certificate directly to the applicant or post it online publicly to be loaded on the applicant’s computer depending on the circumstance. Now that we know how an individual might go about getting a certificate, how might a certificate be revoked or taken away? Each Certificate Authority comes up with lists called certificate revocation lists containing certificates that have been revoked for one reason or another. Its possible that false information was somehow submitted in order to get the certificate in the first place. There is also a chance that an individuals certificate may become compromised. (3) There are a few questions we should ask ourselves about using these digital certificates. Using a certificate is not without a certain amount of risk of information exposure. We wonder who can we trust and with what information? In cryptography, Certificate Authorities may be known to be trusted but what it really means is that they can only handle their own private keys. So when it comes to electronic transactions no matter how big or small, there is still a risk and a need to watch the trust allocated. Is the Certificate Authority allowed to choose who is allowed to be trusted and who decides? While they might provide a good set of rules on paper to which they claim to follow, it still shouldn't give you a sense of trust in the certificate. If you are provided with or you are able to create your own private key, is there ample protection for it? Most people do not have state of the art system protocols to block out hazardous programs, malicious connections, or knowledge of who else has physical access to their computer. In the process of certificate verification, only public keys are used. If somehow an attacker is able to get root access and include his or her own public key, this would allow the attacker free rein to issue legitimate looking certificates at will. The much noted term non-repudiation comes into play. Vendors like to use this term to more effectively sell their keys and pass on responsibility of what happens with the private key to the buyers. It doesn't matter whomever or whichever virus might have accessed the computer, the original recipient assumed responsibility of any actions. An example to contrast this too is credit cards where if you repudiate something on your bill, the vendor is required to prove for certain that you did actually buy that item. Name association is a problem; an individual may send their information to a Certificate Authority but there's a chance there may be multiple instances of individuals of the same name. It's possible there may be a mix-up of keys; however trusting the Certificate Authority gave out the correct keys, the recipient might never notice the problem. They may be able to make the certificates but have no real authority on what is contained within the certificate such as the name or DNS name in the certificate. Using credit bureau databases as a basis to verify information is a problem for commercial Certificate Authorities. How secure are these certificate practices? While digital certificates certainly may help secure the information, certain practices need to be followed properly. Each certificate has a limited period of life for which its able to function. There is also period of time for which it might become stolen; this all depends on many possible factors such as how vulnerable the system that holds the key or how much the key might be worth to someone. Compiling this information allows vendors to find the probability of loss as time passes. There are many uses for digital certificates such as secure online communications, code signing, secure email messaging, or even network access authentication. When using them for secure communications such as SSL or TLS, protocols that provide mutual authentication, communication privacy, and communication integrity. There is also another method of secure authentication, HTTPS. There are a couple of different certificates that fall under this method which has a greater standing over that of SSL. These certificates would be Server certificates and Client certificates. The server certificates as previously covered contain server information that helps clients to identify the server before any information is exchanged. Client certificates are full of information about the user and can identify the sender to the server. Certificates are able to do any of a variety of tasks under the umbrella of code signing. Unsigned code could pose a threat to the security of your computer and the information within it. Authenticode is a Microsoft based software that watches the downloading of controls and files and displays a warning in the case of a security warning. Using this information, users can decide whether to allow or deny the download to continue. A third option for digital certificates is using certificates for secure email messaging. S/MIME is an off shoot of MIME which allows senders to digitally sign their email messages to provide proof of integrity. Finally administrators use certificates for network access authentication because they provide strong security and eliminate the need for password based authentication systems. Using certificate authentication with VPN connections based around L2TP/IPSEC provides the strongest form of authentication in the Windows system family. (1) While there are many different options out there today, I decide to compare 2 different Certificate Authorities, see what the advantages and disadvantages to both. I decided to look between CAcert, a nonprofit organization, and VeriSign, a widely known competitor within the digital certificate world. As stated above, CAcert is a nonprofit and volunteer based group who want to help provide free authentication to everyone in the world. Once organizers looked into what it took to operate a Certificate Authority, they found it to be rather small. This lead to free implementations of various secure technologies. Registering for CAcert costs no money; just a bit of time through registering online and convincing the staff your information is cleared. While these free certificates may not help protect against sensitive transactions, they do allow for easy personal tasks like email. Critics against CAcert argue about it not following in the standards of the rest of the industry. The cost of regular industry certificates and the options they provide don't follow the same model line as CAcert. Many browsers don't enforce standards set by the various companies. (4) While VeriSign charges for their certificates, they are considered as a leader of the pack of Certificate Authorities. Hundreds of companies and banks from all over the world use VeriSign as their authority. With a single management center, customers are given a location to keep track of all their possible certifications. VeriSign offers customers a high encryption so there is little chance that a person would be able to hack their way through the key. There are four different certificates that VeriSign offers; Secure Site, Secure Site Pro, Secure Site with EV, and Secure Site Pro with EV. While these offer many various incentives, the cost to buy even the lowest certificate was high priced. The VeriSign logo is one of the most recognized throughout all of the internet bringing about the feeling of trust that their information is being protected by the strongest locks in the industry. (5) Works Cited 1) Clercq, Jean D. "Certificates." Microsoft TechNet. 22 Nov. 2008 <http://technet.microsoft.com/en-us/library/cc700805.aspx>. 2) Ellison, Carl, and Bruce Schneier. "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure." 22 Nov. 2008 <http://www.schneier.com/paper-pki-ft.txt>. 3) "Microsoft Help and Support." Description of Digital Certificates. 20 Nov. 2008 <http://support.microsoft.com/kb/195724>. 4) Oram, Andy. "CAcert: Digital certificates become free." Lamp: The Open Source Web Platform. 30 June 2004. 21 Nov. 2008 <http://www.onlamp.com/pub/wlg/5142>. 5) "SSL Certificates." VeriSign. 20 Nov. 2008 <http://www.verisign.com/ssl/index.html>. 6) "Stay Smart Online Alert Service." Australian CERT. 20 Nov. 2008 <http://www.ssoalertservice.net.au/content/doc/f9_checking_digital_certificates.p df>. 7) "Understanding Digital Certificates." Microsoft TechNet. 20 Nov. 2008 <http://technet.microsoft.com/en-us/library/bb123848.aspx>.