|
|
|
The key to better security
Keys are used to protect belongings. In general, one key never works on two different locks. Each key is like a unique encryption device. Digital certificates are based on the same principle.
A digital certificate is a digital form of identification, similar to a passport or a driver’s licence. It is a digital credential which provides information about the identity of an entity, besides other supporting data. A digital certificate is issued by an authority, referred to as a certification authority (CA), which guarantees the validity of the information in the certificate. A digital certificate is valid for only a specific period of time.
The certificates provide support for public cryptography because each of them matches a public key to a particular individual. Plus, its authenticity is guaranteed by the issuer.
The certificate provides a solution to the problem of finding a user’s public key and whether it is valid or not. These problems are solved by a user obtaining another user’s public key from the digital certificate.
When a digital certificate is issued, the issuing CA signs the certificate with its own private key. To validate the authenticity of a digital certificate, a user can obtain the CA’s public key and use it against the certificate to determine if it was signed by the former.
Similarly, as long as digital certificates are standardized, they can be read and understood regardless of who issued the certificate.
The S/MIME standard
The S/MIME standard specifies that digital certificates used for S/MIME conform to the International Telecommunications Union (ITU) X.509 standard. The X.509v3 standard governs digital certificates generally.
The S/MIME version 3 specifically requires that certificates conform to version 3 of X.509. The standard requires that digital certificates contain uniformed information. It does not provide a standard for certificates specific to S/MIME certificates. Information about digital certificates specific to S/MIME is explained in the S/MIME RFCs.
Although digital certificates are electronic, but because they are standardized, they can be used on numerous devices and not just on personal computers. They can be used on handheld devices, on mobile phones, and on portable cards, called smart cards.
Smart cards allow digital certificates to be as portable and usable as a traditional driver’s licence or passport.
The standardization of S/MIME certificates, through the S/MIME RFCs and the X.509 version 3 is a key element to the success of S/MIME since it makes digital certificates understandable to any application that conforms to the standard.
One of the benefits of public key cryptography is that it reduces key management since one pair takes the place of numerous symmetric keys. This benefit is further enhanced by digital certificates, which allow public keys to be distributed and managed. However, digital certificates are not self-managing. By design, digital certificates are widely circulated, so the management of these certificates must address the distributed nature of the certificates.
Digital certificates require a functioning infrastructure to manage the certificates in the context within which they are going to be used. Public key infrastructure (PKI) is inseparable from DCs. PKI is responsible for issuing certificates, ensuring the distribution through a directory, and validating them. The information presented here focuses on how PKI and digital certificates work in conjunction with message security.
PKI provides the means for digital certificates to be used by issuing the certificates and making them accessible through a directory. It also validates digital certificates by verifying the authenticity of the certificate, the validity of the certificate, and whether the certificate is trustworthy.
These services are crucial to digital certificates because the certificates rely on a distributed model by using third-party CAs. In general, PKI issues digital certificates and publishes information about these certificates to a directory where that information can be accessed by other applications. Some of this information is used for validating digital certificates. Message security operations require access to public keys of both the sender and recipient.
Since the digital certificate provides this information, accessing users’ digital certificates is crucial to a message security system. By providing access to these certificates, PKI builds on the benefits that public key cryptography offers in terms of simplified key management by eliminating the need to manually exchange keys. Instead, PKI makes digital certificates available through a directory so that they can be retrieved by applications when needed.
To understand how PKI validates a certificate, remember the role that the certification authority has in issuing the digital certificate. As discussed earlier, the issuing certification authority vouches for the validity of the identity, and shows this by using its public key to sign the certificate. Checking the authenticity of a certificate means that the certification authority’s digital signature must be verified.
PKI validates a certificate by providing the means by which the issuing certificate authority’s signature can be verified. A digital certificate can be compromised, usually through loss of the private key. Certificate revocation is another of the critical services that PKI provides to support digital certificates and is another part of the process of verifying them.
PKI ensures that digital certificates are trustworthy, and so, becomes its integral part. You cannot use digital signatures without PKI. Since Exchange Server 2003 supports X.509 v3 certificates, the specific PKI that supports an Exchange installation will depend on the digital certificates used with it.
From the standpoint of message security, however, all PKIs provide these fundamental services in support of digital certificates. With an understanding of digital certificates and how they support public key cryptography, the next step is to apply this information to message security.
The relationship of a public key to a user’s private key allows a recipient to authenticate and validate a sender’s message. Digital certificates extend support to public key cryptography by providing reliable means to distribute and access public keys.
When a sender is signing a message, he provides the private key that is associated with the public key available on the digital certificate. In turn, when the recipient is validating a digital signature on a message, the recipient is obtaining the public key to perform that operation from the sender’s digital certificate.
Digital certificates also support message encryption by making public keys available so that the keys can be used for the encryption process. A sender can access the recipient’s public key, which allows the former to encrypt the message, knowing that only the recipient can decrypt the message.
This time it is the recipient’s digital certificate that makes the encryption possible. As with digital signatures, the public key from the digital certificate makes the operation possible.
By understanding how digital certificates enable public key cryptography so that it provides the basic security services for digital signatures and message encryption, you can have an understanding of how S/MIME message security system works.
The writer
