A digital signature is a mathematical algorithm used for proving the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender authentication, that the sender cannot deny having sent the message non-repudiation and that the message was not altered in transit integrity.
2. Public Key Infrastructure
PKI is a framework that consists of, procedures, programs and security policies that employs public key cryptography and the X.509 standard (digital certificates) for secure communications.
PKI is a combination system of symmetric and asymmetric key algorithms also an infrastructure that identifies users, creates and distributes certificates, maintains and revokes certificates, distributes and maintains encryption keys, and enables technologies to communicate via encrypted communications. PKI depends on a level of trust within this framework for it to be successful and secure.
2.1. Components of a PKI:
ü Certificate authority
ü Certificate server
ü Certificate validation
ü Key recovery
3. Digital Certificates
A Digital Certificate is an electronic “password” that allows an individual person or corporation to exchange data over the Internet, securely by using the public key infrastructure (PKI). A digital certificate is issued by an authority, referred to as a certification authority (CA). A digital certificate is issued by a third party (CA) and helps to identify a person or machine and contains the public keys, name of the person that the certificate is issued to, the certificates CRL distribution point and other connected fields. Digital certificates offer support for public key cryptography because digital certificates contain the public key of the entity identified in the certificate.
By using a certificate, approves the certification authority to take a user’s public keys and many other important pieces of information and store them in a standard format which can then be signed using a digital signature.
3.1. Digital certificates classification
ü Authentication: PKI offers this through digital certificates.
ü Non-repudiation: It ensures that there is trustworthy means of ensuring ownership of an electronic document. PKI offers non-repudiation through digital signatures. ·
ü Confidentiality: The PKI ensures confidentiality through use of encryption algorithms.
ü Integrity: It is ensured by message hashing.
ü Access Control: PKI ensures access control through public and private key pairs.
3.2. Digital Certificate by verifying its signature.
Basically, Public Keys used to verify the signatures of issued Digital Certificates are publicized through many ways widely.
The CA provides a Certification Practice Statement (CPS) that clearly states its policies and practices regarding the issuance and maintenance of Certificates within the PKI. The CPS contains operational information and legal information on the roles and responsibilities of all entities involved in the Certificate. Digital Certificates are issued under the technical recommendations of the x.509 Digital Certificate by format as published the International Telecommunication Union-Telecommunications Standardization Sector (ITU-T). Users may enroll for a Digital Certificate via the Web. Upon completion of the necessary forms, the user’s Internet Browser will create a Public Key Pair. The Public half of the key pair is then sent to the CA along with all other data to appear in the Digital Certificate, while the Private Key is secured on the user’s chosen storage medium.
The CA must verify the submitted data before binding the identification data to the submitted Public Key. This prevents an impostor obtaining a Certificate that binds his Public Key to someone else’s identity and conducting fraudulent transactions using that identity.
3.3. Certificate Revocation Lists
Revocation information needs to be made available to the other users as soon as the compromised certificate is identified; this is done using certificate revocation lists (CRLs). The certificate is revoked using its unique serial number and is placed in a CRL within the directory. This CRL is signed by the CA and is checked every time a certificate is requested from the directory. The certification authority is usually configured to issue CRLs on a periodic. This ensures that once the integrity of a key is compromised it is taken out of action as soon as possible. A CRL distribution point is normally a short list of CRLs which is checked to ascertain the validity of a certificate. A PKI application will know which CRL distribution point to check by reading the ‘CRL distribution point’ field of a certificate. This field will indicate the location in the directory where the CRL for the certificate in question will be posted on the event that it is been revoked. The use of CRL distribution points ensures optimal performance of a PKI
PKI, every object is represented by an entry in the directory and involves of a series of attributes and associated attribute values. When is stored in the directory the public components are not protected by encryption, the information is stored in clear text but has been signed by the CA. When a user downloads the information, the communication is not secured, but this is not a safety risk as the information is considered to be public. The integrity of the information is however confirmed by the digital signature applied by the CA to the information.
3.5. Hierarchy of trust
In the directory, data is structured in a tree shape. The top of the tree is termed the root. It is a logical connecting point and is not represented by a directory entry. A hierarchy of trust begins with at least one certification authority that is trusted by all entities in the certificate chain. This can be an internal certification authority administrator or an external company or organization that specializes in verifying identities and issuing certificates. The root authority then certifies other certification authorities, called first-tier certification authorities, who can then issue certificates and also certify additional or second-tier certification authorities. Like Figure 1
3.6. Trust Models
The CA issues and signs all certificates and acts as the top-level trust agent facilitating a third-party trust model. Users trust each other because the CA vouches for the authenticity and integrity of the information.
There are two types of trust models:
ü Direct Trust: there are two entities involved in the trust relationship having an association before the exchange of secure information.
ü Third Party Trust: This trust model is used when trust cannot be established on an individual basis.
Digital Signatures are produced electronically, which is used to ensure the authenticity and integrity of data for example e-mail message (outlook). Whereas, Digital Certificate is like a credential for the Internet. It can be said that it’s similar to other identity proofs of a person like driver’s license or any employee ID card. Trusted third party issues digital certificates, for establishing the identity of the person who owns certificate. These third parties who issues digital certificates are known as Certificate Authority (CA). In simple words, Digital Certificates are used to do verification of the trustworthiness of a website and Digital Signatures are used to verify the trustworthiness of the information.
Normally, three algorithms are used by a digital signature system. Key generation algorithm is used to generate a public and private key pair. Another one signing algorithm is used to generate a signature which is used at time of giving out private key and a message. Finally, signature verifying algorithm is used for the verification