What are digital certificates?

Print edition : August 22, 2014

A screenshot of Microsoft's Root Store in Internet Explorer.

DIGITAL certificates (DCs) are basically digital files that work like an online password to verify the identity of a user or a computer. They are used to establish a Secure Sockets Layer (SSL)-encrypted channel that is used for communication over the Internet between a client and a server using what is called the Public Key Infrastructure (PKI). The PKI in the Indian context is the digital security infrastructure maintained and operated by the Controller of Certifying Authorities (CCA) of the Department of Electronics and Information Technology (DeitY) and the other subordinate or intermediary Certifying Authorities (CAs).

The SSL is a standard security protocol to establish an encrypted link between a server and a client, typically a web server (website) and a browser or a mail server and a mail client (for example, Gmail). It allows sensitive information such as credit card numbers, login details or financial transaction details to be transmitted securely. A DC is a digital statement issued by a CA authenticating the identity of the certificate holder and enabling the parties to communicate in a secure manner using encryption. DCs are also referred to as SSL certificates.

The websites that one commonly visits have uniform resource locators (URLs) that begin with http://. The Hypertext Transfer Protocol (HTTP) that they use are actually an insecure mode of data transmission between browsers and web servers; they are in plain-text mode, which is vulnerable to eavesdropping or man-in-the-middle attacks. On the other hand, a site beginning with https:// implements what is known as HTTP Secure (HTTPS) protocol, which guarantees secure communication over the Internet. Basically, it is the result of simply layering the HTTP over the SSL protocol, thus endowing the standard HTTP mode of communication with the SSL’s security capabilities. Thus, DCs are used only for communication and for transactions using the HTTPS protocol, and not for communication with HTTP alone.

Encryption

Encryption is the process of encoding messages or information so that only authorised parties can read it. In an encryption scheme, the message or information in plain text is encrypted using an algorithm to generate “ciphertext” that can only be read if decrypted. The encryption password, or “key” as it is known in cryptography, uses an encryption key generated by a complex mathematical algorithm.

There are two kinds of encryption schemes: symmetric and asymmetric. In the former, the same key is used both to encrypt and decrypt the data. In the latter, the process involves mathematically generating a pair of keys. Like everything in computers, these are simply large numbers, and the underlying mathematics ensures that it will be nearly impossible to guess the key-pair.

Given a pair of keys, “a” and “b”, data encrypted with “a” can only be decrypted with “b” and data encrypted with “b” can only decrypted with “a”. Hence the name asymmetric encryption. To ensure digital security through the PKI scheme, one uses what is known as a “public key” and a “private key”. The former is available to all users of a communication network, while the latter is held secret by the entity that owns the key-pair. This guarantees the following: if the entity’s public key is used to encrypt something before transmission, only the entity can decrypt it and access the information. Conversely, if the entity encrypts a message with the private key it holds, then anyone can decrypt it with the publicly available key but everyone accessing it is assured that the entity alone was the source of the message.

DCs are electronic files that contain information about the public key of the entity owning the certificate and some additional information about the entity—person, computer, web server or service provider—holding the private key. This information is authenticated and signed by a trusted third party, in this case the CA issuing the DC, who in turn is authorised by the root CA, the CCA in the Indian case. The public and private keys are used by the client and the server to encrypt data before transmission. For Windows-based users, computers and services, trust in a CA is established when there is a copy of the root certificate in the trusted Microsoft Root Store. DCs thus authenticate that their owners—people, websites, and even network resources such as routers—are indeed what they claim to be and also protect via the SSL protocol data exchanged online from theft or tampering.

When one accesses an https:// website, the process goes like this. The website gives the browser its public key, which is contained in its DC. The site claims to be what one wanted to access, and the public key matches what the site is using as its private key. But, in principle, this site could have been set up by anyone. It is the fact that a trusted CA has signed the DC and that it figures in the browser’s root store that authenticates the DC and the website being accessed.

But for the certificate to be valid, it must not have been revoked, which could happen if the CA was compromised or breached, and the validity period must not have expired.

In the present instance of hacking of the National Informatics Centre Certifying Authority (NICCA), the intruder was able to create intermediate CA certificates that were signed by the root CA, the CCA, thus making them appear valid. For example, the hacker successfully impersonated certain domains of Google and Yahoo and generated fake DCs corresponding to them. Using these certificates, the hacker can create website certificates for any website. Such websites would be trusted simply because the DC the intermediary CA issued looked valid, was trusted by a root CA, and the root CA figured in the web server or client’s root store.

R. Ramachandran



A letter from the Editor


Dear reader,

The COVID-19-induced lockdown and the absolute necessity for human beings to maintain a physical distance from one another in order to contain the pandemic has changed our lives in unimaginable ways. The print medium all over the world is no exception.

As the distribution of printed copies is unlikely to resume any time soon, Frontline will come to you only through the digital platform until the return of normality. The resources needed to keep up the good work that Frontline has been doing for the past 35 years and more are immense. It is a long journey indeed. Readers who have been part of this journey are our source of strength.

Subscribing to the online edition, I am confident, will make it mutually beneficial.

Sincerely,

R. Vijaya Sankar

Editor, Frontline

Support Quality Journalism
This article is closed for comments.
Please Email the Editor
×