What are digital certificates?

Published : Aug 06, 2014 12:30 IST

A screenshot of Microsoft's Root Store in Internet Explorer.

A screenshot of Microsoft's Root Store in Internet Explorer.

DIGITAL certificates (DCs) are basically digital files that work like an online password to verify the identity of a user or a computer. They are used to establish a Secure Sockets Layer (SSL)-encrypted channel that is used for communication over the Internet between a client and a server using what is called the Public Key Infrastructure (PKI). The PKI in the Indian context is the digital security infrastructure maintained and operated by the Controller of Certifying Authorities (CCA) of the Department of Electronics and Information Technology (DeitY) and the other subordinate or intermediary Certifying Authorities (CAs).

The SSL is a standard security protocol to establish an encrypted link between a server and a client, typically a web server (website) and a browser or a mail server and a mail client (for example, Gmail). It allows sensitive information such as credit card numbers, login details or financial transaction details to be transmitted securely. A DC is a digital statement issued by a CA authenticating the identity of the certificate holder and enabling the parties to communicate in a secure manner using encryption. DCs are also referred to as SSL certificates.

The websites that one commonly visits have uniform resource locators (URLs) that begin with http://. The Hypertext Transfer Protocol (HTTP) that they use are actually an insecure mode of data transmission between browsers and web servers; they are in plain-text mode, which is vulnerable to eavesdropping or man-in-the-middle attacks. On the other hand, a site beginning with https:// implements what is known as HTTP Secure (HTTPS) protocol, which guarantees secure communication over the Internet. Basically, it is the result of simply layering the HTTP over the SSL protocol, thus endowing the standard HTTP mode of communication with the SSL’s security capabilities. Thus, DCs are used only for communication and for transactions using the HTTPS protocol, and not for communication with HTTP alone.

Encryption

Encryption is the process of encoding messages or information so that only authorised parties can read it. In an encryption scheme, the message or information in plain text is encrypted using an algorithm to generate “ciphertext” that can only be read if decrypted. The encryption password, or “key” as it is known in cryptography, uses an encryption key generated by a complex mathematical algorithm.

There are two kinds of encryption schemes: symmetric and asymmetric. In the former, the same key is used both to encrypt and decrypt the data. In the latter, the process involves mathematically generating a pair of keys. Like everything in computers, these are simply large numbers, and the underlying mathematics ensures that it will be nearly impossible to guess the key-pair.

Given a pair of keys, “a” and “b”, data encrypted with “a” can only be decrypted with “b” and data encrypted with “b” can only decrypted with “a”. Hence the name asymmetric encryption. To ensure digital security through the PKI scheme, one uses what is known as a “public key” and a “private key”. The former is available to all users of a communication network, while the latter is held secret by the entity that owns the key-pair. This guarantees the following: if the entity’s public key is used to encrypt something before transmission, only the entity can decrypt it and access the information. Conversely, if the entity encrypts a message with the private key it holds, then anyone can decrypt it with the publicly available key but everyone accessing it is assured that the entity alone was the source of the message.

DCs are electronic files that contain information about the public key of the entity owning the certificate and some additional information about the entity—person, computer, web server or service provider—holding the private key. This information is authenticated and signed by a trusted third party, in this case the CA issuing the DC, who in turn is authorised by the root CA, the CCA in the Indian case. The public and private keys are used by the client and the server to encrypt data before transmission. For Windows-based users, computers and services, trust in a CA is established when there is a copy of the root certificate in the trusted Microsoft Root Store. DCs thus authenticate that their owners—people, websites, and even network resources such as routers—are indeed what they claim to be and also protect via the SSL protocol data exchanged online from theft or tampering.

When one accesses an https:// website, the process goes like this. The website gives the browser its public key, which is contained in its DC. The site claims to be what one wanted to access, and the public key matches what the site is using as its private key. But, in principle, this site could have been set up by anyone. It is the fact that a trusted CA has signed the DC and that it figures in the browser’s root store that authenticates the DC and the website being accessed.

But for the certificate to be valid, it must not have been revoked, which could happen if the CA was compromised or breached, and the validity period must not have expired.

In the present instance of hacking of the National Informatics Centre Certifying Authority (NICCA), the intruder was able to create intermediate CA certificates that were signed by the root CA, the CCA, thus making them appear valid. For example, the hacker successfully impersonated certain domains of Google and Yahoo and generated fake DCs corresponding to them. Using these certificates, the hacker can create website certificates for any website. Such websites would be trusted simply because the DC the intermediary CA issued looked valid, was trusted by a root CA, and the root CA figured in the web server or client’s root store.

R. Ramachandran

Sign in to Unlock member-only benefits!
  • Bookmark stories to read later.
  • Comment on stories to start conversations.
  • Subscribe to our newsletters.
  • Get notified about discounts and offers to our products.
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide to our community guidelines for posting your comment