Certificates - The Public Key Infrastructure (PKI)

Public Key Encryption- Enter Alice, Bob, and Charlie:

Alice wants to send a message to Bob without letting Charlie read it, she encrypts the message with her private key and then encrypts it again with Bob’s public key. Since she used Bob’s public key, the only person who can read the message is the person with Bob’s private key, presumably Bob.

When Bob receives the message and decrypts it with his private key, he then sees something encrypted with Alice’s private key. He can use her public key, which he has, to read the message. And, since only Alice knows her private key, Bob knows that Alice sent the message.

The problem is that:

All of this assumes that Alice and Bob know each other real well and have had a chance to exchange public keys in a secure environment
. Otherwise, it is difficult to ensure that what Alice thinks is Bob’s public key isn’t one that Charlie made and said was Bob’s. More to the point, the Web site asking for your credit card number is the one you trust giving it to.

Enter the:

Certificate Authority (CA)

last modified: thursday, october 16, 2003
(www.webopedia.com)

A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.

Digital Certificate

last modified: Monday, october 27, 2003
(www.webopedia.com)

an attachment to an electronic message used for security purposes. the most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply. an individual wishing to send an encrypted message applies for a digital certificate from a certificate authority (ca). the ca issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. the ca makes its own public key readily available through print publicity or perhaps on the internet. the recipient of an encrypted message uses the ca's public key to decode the digital certificate attached to the message, verifies it as issued by the ca and then obtains the sender's public key and identification information held within the certificate. with this information, the recipient can send an encrypted reply. the most widely used standard for digital certificates is X.509.

This Diagram Appears in Ian Curry's Entrust White Paper

Alice, Bob, Charlie, and the CA

Someone presents a certificate to Alice claiming that he or she is Bob and offers the certificate as proof.
The certificate contains the public key corresponding to what is claimed to be Bob's private key.
The certificate also identifies a CA known to the Alice that had signed the certificate.
Alice checks the signature in the certificate with the CA using the public key of the CA. The CA confirms that this is Bob's certificate.
Alice now presents a software challenge to whoever presented the certificate to verify that he or she has access to the private key that was originally generated when the certificate was obtained and hence he is, in fact, Bob
The challenge answered successfully, communication begins with Charlie left out of the loop!