Digital Certificates

Digital Certificate is a data with digital signature from one trusted Certification Authority (CA). This data contains:
Who owns this certificate Who signed this certificate The expired date User name & email address
1

Digital Certificate

Reference

Elements of Digital Cert.

A Digital ID typically contains the following information:

Your public key, Your name and email address Expiration date of the public key, Name of the CA who issued your Digital ID

Certification Authority (CA)

A trusted agent who certifies public keys for general use (Corporation or Bank).
User has to decide which CAs can be trusted.

The model for key certification based on friends and friends of friends is called Web of Trust.
The public key is passing from friend to friend. Works well in small or high connected worlds. What if you receive a public key from someone you dont know?
4

CA model (Trust model)

Root Certificate

CA Certificate

CA Certificate

Browser Cert.

Server Cert.

Web of Trust model

B A Alice

Bob C

Public Key Infrastructure (PKI)

PKI is a system that uses public-key encryption and digital certificates to achieve secure Internet services. There are 4 major parts in PKI.
Certification Authority (CA) A directory Service Services, Banks, Web servers Business Users
7

Digital 21 . gov .hk

Reference: An official homepage which provides lot of PKI, e-commerce information

PKI Structure
Certification Authority Directory services

Public/Private Keys User

Services, Banks, Webservers

4 key services

Authentication Digital Certificate

To identify a user who claim who he/she is, in order to access the resource.

Non-repudiation Digital Signature

To make the user becomes unable to deny that he/she has sent the message, signed the document or participated in a transaction.

Confidentiality - Encryption
To make the transaction secure, no one else is able to read/retrieve the ongoing transaction unless the communicating parties.

Integrity - Encryption
To ensure the information has not been tampered during transmission.
10

Certificate Signers

11

Certificate Enrollment and Distribution

12

Secure Web Communication

Server authentication is necessary for a web client to identify the web site it is communicating with. To use SSL, a special type of digital certificate Server certificate is used. Get a server certificate from a CA.
E.g. www.hitrust.com.hk, www.cuhk.edu.hk/ca/

Install a server certificate at the Web server. Enable SSL on the Web site. Client authentication Client certificates
13

Strong and Weak Encryption

Strong encryption
Encryption methods that cannot be cracked by brute-force (in a reasonable period of time). The world fastest computer needs thousands of years to compute a key.

Weak encryption
A code that can be broken in a practical time frame. 56-bit encryption was cracked in 1999. 64-bit will be cracked in 2011. 128-bit will be cracked in 2107.
14

PGP decryption

Reference
15

Secure SHell (SSH)

Provide an encrypted secure channel between client and server. Replacement for telnet and ftp. Reference: SSH

16

Secure Shell & Secure FTP

Secure Shell Secure FTP

The Hosts Public Key

17

Secure Electronic Transaction (SET)

This protocol is developed by Visa and MasterCard specifically for the secure credit card transactions on the Internet. SET encrypts credit card and purchase information before transmission over the Internet. SET allows the merchants identify be authenticated via digital certificates, also allows the merchant to authenticate users through their digital certificates (more difficult to someones stolen credit card). SET DEMO
18

Secure Electronic Transaction (SET)

There are four parts in the SET system.

A software wallet on the users computer Cardholder. A commerce server that runs on the merchants web site Merchant. The payment server that runs at the merchants bank Acquiring bank. The Certification Authority Issuing bank.

SET FAQs
19

SET

20

Privacy-Enhanced E-mail

Encrypted Signed

21

Summary

Make sure you understand the relationship between

Encryption Digital Signature Digital Certificate Certificate Authority

Understand which Public/Private key should be used to encrypt/decrypt message to/from you? Discuss PGP, SET, SSH, encrypted email.
22

References

Digital Certificate (Applied Internet Security) By Feghhi, Feghhi, Williams Addison Wesley Basic Crytography Digital Signature PKI Resources SET Resources General Definitions Digital ID FAQ
The End. Thank you for your patience!
23