Smart Computing ® Smart Computing ®
Top Subscribe Today | Contact Us | Register Now   
middle
Home | Tech Support | Q&A Board | Article Search | Subscribe & Shop   


Verifying Identity In A Digital World Email This
Print This
View My Personal Library
Systems & Processes
August 2000 • Vol.4 Issue 3
Page(s) 126-131 in print issue
 		Add To My Personal Library

Verifying Identity In A Digital World
Digital Certificates & Signatures Lend Your Documents Legitimacy
In the movies, the president of the United States always has a red phone nearby. Everyone in the audience knows that this Hollywood device represents the most secure phone line in existence, which connects the commander-in-chief with his top brass. No one else can pretend to be the president calling because no one else can tap into that secure line.

Now imagine the president trying to communicate with his generals through the Internet by e-mail. How could the recipients be certain that the president really sent the message? After all, millions of people have access to the Internet. Since the president can't kick everyone off this worldwide computer network to make it secure, he had better concentrate on making his message secure.

Even if you're not the president, you can still sign your e-mail messages to show they came from you and verify that an e-mail from a business partner wasn't forged. You can be sure that a message sent over the Internet is authentic when you know that:

the sender is who she claims to be;

the message hasn't been tampered with as it traveled to you; and

if you enter into an agreement through such a message, it will be as legally binding as a paper contract.

In the real world, you would agree to a contract by signing your name to it under the watchful eyes of a notary public or some other witness. The online equivalent of your notarized signature doesn't have anything to do with your handwriting, but it is called a digital signature.



Certificates & Signatures. Before we explain what digital signatures are, we have to make clear what they are not: they are not graphic files of a scanned handwritten signature. These digitized signatures would be easy for someone to copy and misuse. However, handwriting recognition is a form of biometric security (safeguards based upon physiological attributes such as a person's irises or voice) discussed in the biometrics article "Who Goes There?" in this issue.

You won't ever see a digital signature, since your e-mail program or another application will handle its mechanics. Still, you can affix one to an outgoing message with the click of a button. Before you can create a digital signature, though, you will need to get something called a digital certificate.



A nice red ribbon demonstrates that Outlook Express 5 verified this digitally signed message.
Digital certificates. A digital certificate is a downloadable file you can install on your computer and use with most e-mail programs and browsers. For example, Microsoft Internet Explorer 3.02 and higher and Netscape Navigator 3 and higher can support standard X.509 V3 type certificates. You can get a digital certificate from a CA (Certification Authority), which is a company that the government and computer industry trust to verify applicant's identities. VeriSign (http://www.verisign.com) and Digital Signature Trust (http://www.digsigtrust.com) are two examples of CAs.

A digital certificate contains, among other things, a serial number, an expiration date, and two long strings of bits (binary digits) called keys, which the CA has assigned to your name and personal information. One is a public key, which anyone can access on the Internet. The other is a private key, which is secreted away inside your browser or operating system. In very basic terms, you can apply one of these keys to a message to change it into a different form, and only the other can change it back. In addition, it's considered impossible to derive the private key from its corresponding public key and vice-versa. Since only one of these can "undo" what the other has done to a message, a certificate's private and public keys let you:

digitally sign a message to prove it's authentic



The Advanced Security Settings panel in Outlook Express 5 has all kinds of neat options, such as automatic online signature verification. Click Tools, Options, the Security tab, and Advanced, then Only When Online.
encrypt (digitally scramble) the message so only the intended recipient can read it.

Say you apply your private key to a copy of an e-mail message and send the altered copy, (now called a digital signature) along with the regular message and your public key, to an associate. Since your associate now has your public key, and his e-mail program knows that only your public key can undo what your private key did, you must have sent the message. Of course, this arrangement only works if no one else has your private key.

You can encrypt a message by coming at it from a different angle. If you have your associate's public key, you can use it to scramble a message for his eyes only. Since only his private key can decrypt (unscramble) the message, only he will be able to read it.

These two explanations are extremely simplistic and are only intended to give you the basic concepts involved. The sections below have more details.

Digital certificates come in different levels of authenticity. Class 1 certificates are the weakest type. Class 2 certificates carry more weight for proving your identity, so a CA such as GlobalSign will check your e-mail address and a signed copy of your driver's license or passport before issuing you one. To get an ultra-thorough Class 3 certificate, you'll have to physically appear before an agency that the CA trusts, called an LRA (local registration authority), and present your credentials. "There is also a Class 4 hierarchy for ‘ultra-high' assurance authentication," says Mahi de Silva, vice president of engineering for VeriSign, but he adds, "we have not issued any of these certificates to date."

Many CAs offer free trial Class 1 certificates for 30 or 60 days. Follow the directions at http://www.globalsign.net/wizard/index.cfm or http://www.verisign.com/client/enrollment/index.html to request and install your certificate. The CA will e-mail you and wait for your response before processing your request. In this way, it verifies that at least your e-mail address is valid.

Once you install your digital certificate, your browser or operating system will encrypt and hide your private key. Follow the CA's or e-mail program's instructions to back up your private key on a password-protected diskette.



E-mail. Popular e-mail programs such as Microsoft Outlook, Outlook Express, and Netscape Messenger (included in the Communicator suite) make it easy to use digital certificates to create and verify digitally signed messages. They are compatible with S/MIME (Secure Multipurpose Internet Mail Extensions), which is a specification for sending and receiving secure and/or authenticated e-mail. We'll use Outlook Express 5 in our examples.

Signing. "A digital signature is sort of the moral equivalent to an encryption operation," says de Silva. "Instead of encrypting something, it just says, ‘I can rely on [whoever] signed this thing because it's attached to a digital certificate.'"

To digitally sign an e-mail message, first install your own digital certificate as mentioned above. Click New Mail. Compose your message as you normally would, but click the new Sign icon on the upper right before you click Send.

Outlook Express will perform some complex mathematics on a copy of the message (leaving the original message readable to anyone). First, the program will apply a hash algorithm such as RSA Security's MD5 (Message Digest 5) to the message, which will represent the text as a message digest, or a number that is typically 128 or 160 bits long. Next, the program will combine your private key with another encryption algorithm called a signature algorithm, such as SHA-1 (Secure Hash Algorithm 1), and then apply the result to the message digest to form a digital signature. Any slight change in your private key or original message will yield a different digital signature. When you send the message, the digital signature and a copy of your certificate (which may itself be signed by a chain of the CA's certificates) will accompany it.

When your friend receives the signed e-mail, her e-mail program should automatically verify your digital signature. Her copy of Outlook Express will apply the same signature algorithm (this time using your public key) and then the same hash algorithm to the message digest to reconstitute the copied message. If this version of the message matches the plaintext (unencoded) message, it will prove that the message was not altered in transit. Your friend will see a red ribbon icon above the message.

If the ribbon icon has a red X symbol on it, it means that your friend's Outlook Express can't verify your signature for some reason. This may be because her browser doesn't yet have the root certificate (the highest level certificate) of the CA that issued your certificate. Your friend should click the icon, choose View Digital ID, and look at the Issued by: line of the General tab to get the name of the CA. She can then look for the CA's Web site and download its root certificate. If her e-mail program still doesn't recognize the digital signature, she should suspect it might be false.

Encrypting. To keep message contents such as credit card numbers or strategic business plans secret, many users also use digital certificates to encrypt their messages and attached files in addition to digitally signing them. Without delving too deeply into the mechanics of encryption, you should be aware of the concept of key strength, or bit strength. In short, the longer the length of your public and private keys, expressed in bits, the harder it is to deduce or "crack" them. Although individual encryption algorithms may be more or less secure than others, a particular algorithm will be more secure with a higher key strength.

Although advances in computing technology have allowed some 40- and 56-bit algorithms to be cracked, de Silva defends the current use of 128-bit encryption in digital certificates because of their built-in expiration dates. "For the lifetime of the certificate, which is typically twelve months, it is just absolutely infeasible [right now] for someone to factor an attack on these kinds of certificates," he says.

In order to exchange encrypted messages with someone, you both need to have digital certificates and, preferably, recent e-mail programs. You'll also need to have a copy of your friend's certificate in your Address Book. This is because you must use his public key to encrypt the message so only he can read it with his private key.

Have your friend email you a digitally signed message (which should automatically include his certificate and public key.) Click the message's red ribbon icon, choose View Security Properties, and then Add to Address Book. Click OK when Outlook Express confirms this. Alternatively, you can look up your friend's certificate on the Web site of the CA that issued it to him. For example, if you know that he has a GlobalSign certificate, start looking at http://secure.globalsign.net/en/find/index.cfm.

Now click New Mail. Compose your message, and then click the Encrypt icon on the upper right. When you click Send, confirm that you want to encrypt the message.

If you receive a message that someone encrypted using your public key, Outlook Express 5 (and other programs such as Messenger 4.7 and Outlook 98) will automatically decrypt it for you.

Settings. You can adjust many of Outlook Express 5's encryption and digital certificate settings in Tools, Options, and the Security tab. Here, you can set Outlook Express to digitally sign and/or encrypt all your outgoing messages (although it needs each recipient's public key for encryption).



At some point, you have to trust somebody. Here, VeriSign verifies its own server's digital certificate. Notice the closed padlock icon near the bottom, which indicates a secure connection.
You can also set Outlook Express to double-check each incoming signed message by contacting the CA's online CRL (certificate revocation list). This will ensure that the sender's certificate hasn't expired or been revoked for some reason. Click Tools, Options, the Security tab, and Advanced. Under Revocation Checking, check the box next to Only When Online. While you're here, check the boxes next to Add Senders' Certificates To My Address Book (which will make it easier to get someone's public key) and Include My Digital ID When Sending Signed Messages, then OK.

Remember that simply digitally signing a message doesn't make it secure. Anyone could intercept and read the plaintext message sent with the signature. Likewise, encryption alone doesn't guarantee the sender's identity, as anyone with a copy of the recipient's freely distributed public key could send her an encrypted message. You can only make an e-mail really secure by using a digital signature and encryption together.



Online Transactions. Another common use of digital certificates is to shore up an online shopping site's security. It took a few years for consumers to accept the concept of buying CDs, clothing, and even cars online because stories abounded about hackers intercepting cybershoppers' credit card information. Today, this only happens when a company doesn't do a good job of protecting its Web presence with readily available security products.

The first step is for the site to have a valid digital certificate to prove that it's actually the company's Web presence. Look for an icon such as VeriSign's ribbon, which reads, "VeriSign Secure Site" and "Click To Verify." Click it and make sure that the CA's information matches that of the page you're viewing. Once you know that the site has a valid digital certificate, you can probably trust the secure connection your browser will automatically establish with certain pages.

When you browse to a page that requires a secure connection, the site will send your browser its digital certificate and a signed message. Your browser will check its list of trusted CAs to decide whether to negotiate an SSL (Secure Sockets Layer) encrypted connection with the site's server. Next, your browser will generate a random session key (an encryption key that's good for only 24 hours or less), encrypt it using the site's public key, and send it to the site. You should now see a closed padlock icon in your browser's window indicating a successful secure connection. In addition, the page's URL (universal resource locator) will now begin with "https" instead of "http".

Your browser will determine the strength of its session keys. When you installed it, you probably had a choice of using 40-, 56-, or 128-bit encryption. In Internet Explorer, click Help and About Internet Explorer, and then read the Cipher Strength line for the level of encryption it can handle.



Using Certificates. The average user might not have a crucial need for the certainty a digital certificate can provide, but a corporation's employees might. VeriSign offers certificates to individuals, de Silva says, but their main focus is selling certificates to businesses. Out of approximately four million certificates in VeriSign's database, according to de Silva, about 250,000 reflect corporate identities, such as Amazon.com or eBay.

Many businesses also buy one or more certificates for each employee. Each certificate carries the employee's name, title, department, corporate affiliation, and perhaps pointers (links) to more up-to-date information stored online. It also reflects the employee's level of trust within the company and the latitude she has in dealing with other entities. For example, a purchasing agent in charge of multimillion dollar deals might have a Class 3 (or better) certificate, which can confirm that she has the authority to represent the company in that way. Other employees may have several certificates if their level of authority varies by project. Traveling employees might use their certificates to securely connect to their company's servers from any Internet access point in the world.

One benefit to using digital signatures for electronic business transactions is that it makes any such online contracts hard to nullify. A digital signature is actually harder to forge than a handwritten signature, so neither party can "back out" of the deal by denying it took place.

Software companies need to be certain that they can detect any unauthorized changes in the huge amounts of code (software instructions) in their applications. For example, software developers may digitally sign their code to ensure that no one gets away with altering the program before its release.



Future Benefits. As this is written, Congress is weighing several federal laws which would give digitally signed electronic documents the legal weight of signed paper documents. Some states already have such laws. The Millennium Digital Commerce Act, for example, would force federal agencies to find and remove procedural barriers to using digital signatures in international commerce as broadly as possible.

One practical benefit to having a legally binding digital certificate is that you may soon be able to vote online. A digitally signed electronic ballot should be more secure than a traditional paper ballot.

De Silva foresees an increased number of digital certificates validating business-to-business, stock trading, and home banking transactions, but he says that wireless PDAs (personal digital assistants) may use the certificates for authentication and security as well. PDAs may need to use partial session keys, de Silva says, due to their limited processing power, but these should still be secure enough for temporary sensitive communications such as paying for groceries via wireless credit card transaction. In addition, VeriSign recently announced certificates that can be stored in pieces on various secure servers rather than on the user's single hard drive, both to make them harder to crack and to make them accessible to users anywhere.

Even if you don't feel the need to get your own digital certificate right now, you may later want to reconsider. Whether you're voting online, guarding business strategies, or even applying for a loan on the Web, a digital certificate is much more practical than installing a presidential red phone of your own.

by Marty Sems



Show Me How It Works!
(NOTE: These pages are Portable Document Files (PDF). You will need Adobe Acrobat Reader to view these pages. Download Adobe Acrobat Reader)




Terms To Know


CA (Certification Authority)— A trusted entity that assigns public and private keys to applicants' identities.

CRL (certificate revocation list)—Your browser may consult this online database, maintained by the CA (Certification authority), to ensure that a digital certificate has not been revoked.

digital certificate—An electronic document asserting someone's identity and linking it to a public and private key pair.

digital signature—A unique message created by applying a hash algorithm and a signature algorithm combined with the sender's private key to a plaintext message. The recipient can apply the same signature algorithm (combined with the sender's public key) and then the same hash algorithm to the digital signature to reconstitute the message. If the message matches the plaintext one sent with the digital signature, the message has not been altered.

hash algorithm—A set of procedures that represents a text message as a unique 128-bit or 160-bit number.

key strength—The length of a key in bits. Also called bit strength.

message digest—A 128- or 160-bit number created by applying a hash algorithm to an e-mail message. The message digest is ready to be digitally signed.

plaintext—A normal, readable message.

private key—A unique string of bits that should be kept secret. The owner can use the private key to decrypt a message encrypted by someone using its corresponding public key, or to create a digital signature that is verifiable by anyone with the public key.

public key—A freely distributed, unique string of bits which can be used to encrypt a message that only its corresponding private key can decrypt.

root certificate—The CA's (Certification Authority) own digital certificate, which guarantees all of its lesser certificates. Most browsers come with several CAs' root certificates already installed. You can also download root certificates from CAs' Web sites.

session key—A random key generated by a browser while negotiating a secure connection to a Web site. A server can only cache (keep) an SSL (Secure Sockets Layer) session key for 24 hours or less.




Want more information about a topic you found of interest while reading this article? Type a word or phrase that identifies the topic and click "Search" to find relevant articles from within our editorial database.

Enter A Subject (key words or a phrase):
ALL Words (‘digital’ AND ‘photography’)
ANY Words (‘digital’ OR ‘photography’)
Exact Match ('digital photography'- all words MUST appear together)




Home     Copyright & Legal Information     Privacy Policy     Site Map     Contact Us

Copyright © 2009 Sandhills Publishing Company U.S.A. All rights reserved.