Introduction
The three most important things in e-communications is the C-I-A Triad. It's the presence of the: Confidentiality, integrity and availability.
Confidential means private or secret. In a computer environment, information is transmitted from a source to a target, and recently sensitive material has been in that process which includes: Government Materials/documents, Banking information and private information.
To ensure confidentiality, there are several ways to ensure that; Certificates is one.
To understand digital certificates, we must understand the keyword "Encryption".
What is Encryption?
Encryption is the process of a message being coded in a way; no one would understand the message but the receiver. The way he knows how to decode it (Decrypt it) is by knowing its key.
An example would be the following:
I Love you = my message
Each letter + 1 letter Ahead= my key
J MPWF ZPV= my encrypted message
Summarized: Encryption is made of three parts:
- The decrypted message (the plain text)
- The Key
- The encrypted message (the ciphered text)
- A private key.
- A public key.
Now that a little of encryption is explained, we can move into certificates.
What is a Digital Certificate?
A digital certificate is an electronic credential used to authenticate users. It is one of the major roles of secure communications. In a secure network infrastructure, a Public Key Infrastructure (PKI) is implemented. A PKI have basic components:
- Digital certificates: An electronic credential used to authenticate users.
- Certification Authority (CA): The digital certificate's "Factory". It is the computer that issues digital certificates; and has several other functions.
- Certification management tools: Tools that manage and audit digital certificates.
- Certificate publication point: The location where certificates are stored and published.
- Applications: The applications that use the digital certificates.
Where Digital Certificates are used?
Digital Certificates can be used in the following:
- Secure e-mails. An example would be "Outlook Express" where there is an option of "Digitally Signing" the e-mail. For example, when Alice Digitally signs a message for Bob she also attaches her Certificate to the outgoing message. Therefore, upon receiving the signed message Bob can verify the validity of Alice's Certificate. If it is successfully verified, Bob now has Alice's Public Key and can verify the validity of the original message signed by Alice.
- Secured web connections. This includes using secure socket layers (SSL), an example would be: Credit card information pages that uses the HTTPS protocol.
- Custom applications. Certificates can be used to complete the CIA-triad.
- Smart card logon process. This authenticates users using their smartcards using card devices attached to their computers.
What are private and public keys and what's the relation between them?
PKI encryption and decryption involves two keys: a public key and a private key. The relationship between the keys is defined as follows:
- Data that is encrypted with the private key can only be decrypted using the public key.
- Data that is encrypted with the public key can only be decrypted using the private key.
What is actually happening when two people communicate?
We Have Mr. "X", Ms. "Y", a message and the bad guy "Z".
X wants to send Y a message securely.
X encrypts his message using Y's public key.
X signs (re-encrypts) his message with his private key.
Y verifies the message was sent from: X by decrypting X's public key.
Y decrypts the actual data sent from X using her own private key.
Let's say:
Z (the nosy guy) intercepts the message from X.
Z verifies the message was sent from X by using Y's public key.
Z fails to access the message because he doesn't have Y's private key.
Z can't pretend he's Y because he doesn't have her private key.
Using PKI we guaranty:
- Data is secured
- Data is received from the correct source.
No comments:
Post a Comment